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THE ROLE OF CYBER INSURANCE IN RISK 
MANAGEMENT 


Tuesday, March 22, 2016 

U.S. House of Representatives, 

Committee on Homeland Security, 
Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies, 

Washington, DC. 

The subcommittee met, pursuant to call, at 10:14 a.m., in Room 
311, Cannon House Office Building, Hon. John Ratcliffe [Chairman 
of the subcommittee] presiding. 

Present: Representatives Ratcliffe, Perry, Clawson, Donovan, 
Richmond, and Langevin. 

Mr. Ratcliffe. Good morning, everyone. Before we begin today, 
I want to take a moment and recognize a moment of silence to re- 
member the victims of the terror attacks this morning in Brussels. 

Thank you. 

You know, attacks like these really cement the need for this com- 
mittee to move forward with urgency on all fronts to try and pre- 
vent and protect Americans from attacks like these here in the 
United States. 

With that, the Committee on Homeland Security, the Sub- 
committee on Cybersecurity, Infrastructure Protection, and Secu- 
rity Technologies will come to order. The subcommittee today is 
meeting to examine the potential opportunities to promote the 
adoption of cyber best practices and more effective management of 
cyber risks through cyber insurance. I now recognize myself for an 
opening statement. 

The House Homeland Security Committee, Subcommittee on Cy- 
bersecurity, Infrastructure Protection, and Security Technology 
meets today to hear from key stakeholders about the role of cyber 
insurance in managing risk. Just yesterday, the Bipartisan Policy 
Center came out with a publication on the room for growth in this 
market and the barriers that it faces. Specifically, today we hope 
to hear about the potential for cyber insurance to be used to drive 
companies of all sizes to improve their resiliency against cyber at- 
tacks and develop a more effective risk management strategy, 
thereby leading to a safer internet for all Americans. 

The cyber insurance market is in its infancy, but it is easy to en- 
vision its vast potential. Just as the process of obtaining home in- 
surance can incentivize homeowners to invest in strong locks, 
smoke detectors, and security alarms, the same could be true for 
companies seeking to obtain cyber insurance. It is for that reason 
that I look forward to hearing from our witnesses today on the cur- 
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rent state of the cyber insurance market and what can be done to 
develop and to improve and to expand the availability of cyber in- 
surance in the future. 

As news of the recent hacks and breaches and data exfiltrations 
demonstrates, cyber vulnerabilities impact every American and 
cause significant concern. The interconnectedness of society exposes 
everyone to these risks now. The interconnectedness of society — the 
breaches at Home Depot, Target, and JPMorgan Chase are just a 
few examples of the cyber incidents that have significantly im- 
pacted Americans every day. 

According to the World Economic Forum’s 2015 Global Risk Re- 
port, technological risks in the form of data fraud, cyber attacks, 
or infrastructure breakdowns, rank in the top 10 of all risks facing 
the global economy. In light of these risks and their enormous sig- 
nificance to individuals, families, and companies, we really need to 
be exploring market-driven methods for improving the security of 
companies that store all of our personal information. I believe cyber 
insurance to be one such solution. 

The very process of considering, applying for, and maintaining 
cyber insurance requires entities to assess the security of their sys- 
tems and to examine their own weaknesses and vulnerabilities. 
The process is constructive, not only for obtaining a fairly-priced 
policy, but also as a means of improving the company’s security in 
the process. Obtaining and maintaining cyber insurance may be a 
market-driven means of effecting a rising tide to lift all boats, 
thereby advancing the security of our entire Nation. 

Today, those acquiring cyber insurance largely consist of leading 
companies that have the most to lose. These market leaders have 
looked down the road and recognize that the best way to mitigate 
their own vulnerabilities is to ensure against as many cyber risks 
as possible. However, we need to explore ways for this marketplace 
to expand to create a wide array of diverse, affordable products 
that will benefit small and medium-sized entities as well. 

The Department of Homeland Security’s Cyber Incident Data 
and Analysis Working Group, or CIDAWG, has facilitated discus- 
sions with relevant stakeholders, including many of the witnesses 
today, to find ways to further expand the cyber insurance market’s 
ability to address emerging risk areas. The DHS working group has 
examined the potential value of creating a cyber incident data re- 
pository to foster the voluntary sharing of data about breaches, 
business interruption events, and industrial control system attacks 
to aid mitigation and risk-transfer approaches. Additionally, they 
are looking to develop new cyber risk scenarios, models, and sim- 
ulations to promote the understanding about how a cyber attack 
might cascade across infrastructure sections. 

Last, they are examining ways to assist organizations of all sizes 
in better prioritizing and managing their top cyber risks. 

Over the next several decades, I hope to see a matured insurance 
ecosystem that incentivizes companies of all sizes to adopt stronger 
cybersecurity best practices and more effective management of 
cyber risks against bad actors in cyber space. We look forward to 
your perspectives on these efforts and what the private sector is 
doing to make it easier for Americans to more effectively manage 
cyber risks. 
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As Chairman of this subcommittee, I am committed to ensuring 
that legislators help facilitate, but not mandate, solutions to better 
protect our private-sector networks against cyber adversaries. As I 
see it, the private sector has always led the way with respect to 
innovation and investment in this space, and we have an obligation 
to continue leaning heavily on this wealth of front-line expertise. 

I have no doubt that this is only the beginning of our conversa- 
tion on cyber insurance. This market is growing and it is new. I’m 
hopeful that we will continue to find ways to facilitate the healthy, 
market-driven maturation of the cyber insurance market as an ef- 
fective means of improving our Nation’s cybersecurity posture. 

[The statement of Chairman Ratcliffe follows:] 

Statement of Chairman John Ratcliffe 
March 22, 2016 

The House Homeland Security Committee, Subcommittee on Cybersecurity, Infra- 
structure Protection, and Security Technologies meets today to hear from key stake- 
holders about the role of cyber insurance in managing risk. Just yesterday the Bi- 
partisan Policy Center came out with a publication on the room for growth in this 
market and the barriers that it faces. Specifically, we hope to hear about the poten- 
tial for cyber insurance to be used to drive companies of all sizes to improve their 
resiliency against cyber attacks and develop a more effective risk management 
strategy, leading to a safer internet for all Americans. 

The cyber insurance market is in its infancy. But it’s easy to envision its vast po- 
tential. Just as the process of obtaining home insurance can incentivize homeowners 
to invest in strong locks, smoke detectors, and security alarms, the same could be 
true for companies seeking to obtain cyber insurance. It is for that reason that I 
look forward to hearing from the witnesses today on the current state of the cyber 
insurance market, and what can be done to develop, improve, and expand the avail- 
ability of cyber insurance in the future. 

As news of the recent hacks, breaches, and data exfiltrations demonstrates, cyber 
vulnerabilities impact every American and cause significant concern. The inter- 
connectedness of society exposes everyone to these risks. The breaches at Home 
Depot, Target, and JPMorgan Chase are just a few examples of cyber incidents that 
significantly impacted everyday Americans. Further, according to the World Eco- 
nomic Forum’s 2015 Global Risk Report, technological risks in the form of data 
fraud, cyber attacks, or infrastructure breakdown rank in the top 10 of all risks fac- 
ing the global economy. 

In light of these risks and their enormous significance to individuals, families, and 
companies, we must explore market-driven methods for improving the security of 
the companies that store our personal information. 

I believe cyber insurance may be one such solution. The very process of consid- 
ering, applying for, and maintaining cyber insurance requires entities to assess the 
security of their systems and examine their own weaknesses and vulnerabilities. 
This process is constructive, not only for obtaining a fairly-priced policy, but also 
as a means of improving the company’s security in the process. Obtaining and main- 
taining cyber insurance may be a market-driven means of enabling “all boats to 
rise,” thereby advancing the security of the Nation. 

Today, those acquiring cyber insurance largely consist of leading companies that 
have the most to lose. These market leaders have looked down the road and recog- 
nized the best way to mitigate their own vulnerabilities is to insure against as many 
cyber risks as possible. However, we need to explore ways for this marketplace to 
expand to create a wide array of diverse, affordable products that will also benefit 
small and medium-sized entities. 

The Department of Homeland Security’s Cyber Incident Data and Analysis Work- 
ing Group has facilitated discussions with relevant stakeholders, including many of 
the witnesses today, to find ways to further expand the cyber insurance market’s 
ability to address emerging risk areas. The DHS working group has examined the 
potential value of creating a cyber incident data repository to foster the voluntary 
sharing of data about breaches, business interruption events, and industrial control 
system attacks to aid risk mitigation and risk transfer approaches. Additionally, 
they are looking to develop new cyber risk scenarios, models, and simulations to 
promote the understanding about how a cyber attack might cascade across infra- 
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structure sections. Lastly, they are examining ways to assist organizations of all 
sizes in better prioritizing and managing their top cyber risks. 

Over the next several decades, I hope to see a matured cyber insurance ecosystem 
that incentivizes companies of all sizes to adopt stronger cybersecurity best practices 
and more effective management of cyber risks against bad actors in cyber space. 

We look forward to hearing your perspectives on these efforts and what the pri- 
vate sector is doing to make it easier for Americans to more effectively manage 
cyber risks. As Chairman of this subcommittee, I’m committed to ensuring that leg- 
islators help facilitate — but not mandate — solutions to better protect our private-sec- 
tor networks against cyber adversaries. As I see it, the private sector has always 
led the way with respect to innovation and investment in this space, and we have 
an obligation to continue leaning heavily on this wealth of front-line expertise. 

I have no doubt that this is only the beginning of the conversation on cyber insur- 
ance. This market is growing and it is new. I am hopeful that we will continue to 
find ways to facilitate the healthy, market-driven maturation of the cyber insurance 
market as an effective means of improving our Nation’s cybersecurity posture. 

Mr. Ratcliffe. The Chair now recognizes the Ranking Minority 
Member of our subcommittee, the gentleman from Louisiana, my 
friend, Mr. Richmond, for any opening statement that he may have. 

Mr. Richmond. Thank you, Mr. Chairman, for holding this hear- 
ing today on cyber insurance. I want to thank the witnesses for 
taking their time and their testimony today. 

Unfortunately, business and Government in America and across 
the world have seen increased levels and frequencies of cyber at- 
tacks, and the rapidly accelerating sophistication of state-sponsored 
and privately-organized cyber criminals. 

Over the past few years, this subcommittee has conducted Gov- 
ernment oversight and produced legislative initiatives and worked 
diligently to provide the Department of Homeland Security and 
other Federal agencies with the tools it needs to protect our sys- 
tems and our databases, and encourage the participation of private 
industry, both in the critical infrastructure sector and for informa- 
tion sharing. 

Today, we are going to hear from private industry and a rep- 
resentative of their State insurance regulatory commissioners 
about cyber insurance. While the full committee, and particularly 
this subcommittee, has no oversight or legislative jurisdiction over 
the cyber insurance activities of those actors and sectors, we do 
have an interest in how they are doing. The statistics are familiar 
to us all. 

The percentage of U.S. critical infrastructure assets owned by 
private-sector firms is estimated to be somewhere in the neighbor- 
hood of 85 percent. The way these assets are operated and man- 
aged has vastly changed over the last few decades, due to the im- 
pact of the digital revolution related to computer-based information 
systems. These changes have increased the efficiency associated 
with using our infrastructure assets. The digital revolution, how- 
ever, has also created serious risks to the Nation’s critical infra- 
structure due to actual and potential cybersecurity breaches. 

As noted by President Obama in his Executive Order on cyberse- 
curity on February 12 , 2013, he stated: Repeated cyber intrusions 
into critical infrastructure demonstrate the need for improved cy- 
bersecurity. The cyber threat to critical infrastructure continues to 
grow and represents one of the most serious National security chal- 
lenges we must confront. 

Last year set a high bar for the size and scope of data breaches, 
led by the theft of over 20 million Government background checks. 



5 


and with that high har, an increasing interest in how State and 
local governments and businesses, large and small, can manage 
their risk and vulnerabilities when they operate in cyber space. For 
example, recently, on a panel on Lessons Learned From the Real- 
World Chief Information Security Officers, the University of Vir- 
ginia’s Randy Marchany explained that the increased and sophis- 
tication of the level of today’s cyber threats forces him to assume 
that hackers already have access to his network, and the best he 
can do is to monitor for when the latent threat becomes active. 

With that said, let’s cut to the chase. What would a cyber insur- 
ance policy look like if an experienced chief information security of- 
ficer of a company or municipal government came to your insur- 
ance agency with the proposition that it is likely that his systems 
had already been hacked and the malware was likely dormant, but 
he wanted to purchase insurance from you as to mitigation and re- 
percussions? Or to complicate things even more, and to introduce 
the well-known moral hazard consideration that accompanies many 
insurance policies, what if a hypothetical chief information security 
officer knew he had been hacked, but wasn’t telling you or anyone 
else, and he knew or suspected that the hacker intrusion was lying 
dormant and would activate at some later date? 

I am not the first to pose these kinds of questions, and these are 
questions I am sure all of us have had, if you contemplate the issue 
of cyber insurance at all. But the worst-case scenarios, going for- 
ward, cyber insurance can play a key role in helping businesses, es- 
pecially small and mid-size businesses, to assess their cybersecu- 
rity posture and readiness, and their ability to be resilient and re- 
cover from anticipated cyber threats and attacks. 

We are engaged in an exceptionally complex and nuanced policy 
arena. I am especially interested to see how the States will handle 
the regulatory responsibilities that surround cyber insurance and 
how the States can serve as incubators for innovative solutions to 
the National, international, and industry-wide challenge of cyberse- 
curity for our Nation’s businesses and Government agencies. 

Mr. Chairman, before I yield back, I would ask unanimous con- 
sent to submit for the record a white paper on cyber insurance 
from the George Washington University Center for Cyber and 
Homeland Security. The author is Brian E. Finch, a senior fellow, 
and member of the Center’s Cybersecurity Task Force. Mr. Finch 
is a senior partner at Pillsbury, Winthrop, Shaw, and Pittman, and 
also serves as a senior adviser to the Homeland Security and De- 
fense Business Council. 

Mr. Ratcliffe. Without objection. 

[The information follows:] 

Submitted For the Record by Hon. Cedric L. Richmond 

Statement of Brian E. Finch, Esq., Partner, Pillsbury Winthrop Shaw 

Pittman LLP 

March 22, 2016 

Chairman Ratcliffe, Ranking Member Richmond, distinguished Members of the 
subcommittee, thank you for allowing me to submit a statement for the record ad- 
dressing the role cyber insurance can play in risk management. 

My name is Brian Finch and I am here today testif3dng in my capacity as a part- 
ner with the law firm of Pillsbury Winthrop Shaw Pittman LLP. I am also a senior 
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fellow with The George Washington University Center for Cyber and Homeland Se- 
curity, where I am a member of the Center’s Cybersecurity Task Force, a senior ad- 
visor to the Homeland Security and Defense Business Council, and a member of the 
National Center for Spectator Sport Safety and Security’s Advisory Board. 

As I have previously noted to Members of this subcommittee, cybersecurity, cyber- 
security best practices, and risk management processes are critical to our Nation’s 
economic security and physical safety. Members of this subcommittee know all too 
well that our cyber enemies are numerous, growing, and increasingly sophisticated. 
If we have learned anything over the past few years with respect to the threat posed 
by our cyber enemies, it is that even our most advanced cyber defenses cannot keep 
up with the sophistication and innovation of cyber attack methodologies. The result 
is a steady if not increasing “cyber gap” between defense and offense. 

In that vein, we must confront the fact that too much focus has been given to 
“eliminating” the cyber threat posed to America. Indeed, no company has an “Enter- 
prise Risk Eliminator,” so as the title of this hearing implies, our efforts should be 
concentrated on managing cyber risk. 

I will leave it to the Members of this subcommittee and the witnesses at the hear- 
ing to discuss critical facts related to what cyber insurance as it currently exists has 
to offer, including with respect to the amount of insurance that is available to any- 
one company, much less in total. 

What I would like to bring to the attention of the subcommittee instead is that 
today’s cyber insurance products are focused on the wrong end of the problem. 
Cyber insurers, like many others, have correctly assessed that cyber attacks will 
successfully strike a company at some point. However, these cyber insurance models 
suffer a fundamental disconnect in that they operate under the assumption that 
cyber attacks will be sporadic and will rarely succeed. 

The reality is that cyber attacks are a constant threat, seeking to penetrate infor- 
mation systems and technologies from every direction and through every possible 
entry. I would argue therefore that the insurance market has been using incorrect 
models and assumptions when developing policies for use in cyber risk management. 

Rather than viewing cyber attacks as infrequent events like a fire or natural dis- 
aster, I believe cyber risk management would be best served if insurers looked to- 
wards policies that use a personal health model. That means cyber insurers should 
look to establish an infrastructure that supports constant care and promotes 
wellness, not merely reimbursement for periodic losses. In my mind, it follows then 
that cyber insurers should develop cyber policies using a health maintenance organi- 
zation or “HMO” model. 

Under that model, the insurer’s goal will be to promote the “right” kinds of 
claims — ones that encourage healthy behavior. This model addresses the reality that 
inevitably some sort of cyber disease will work its way into the blood stream by sup- 
porting interventional care that prevents minor scratches from developing into a se- 
rious infection. 

Companies would gain access to the cyber HMO by paying monthly premiums 
along with associated “co-pays”, “deductibles”, and similar expenses typically associ- 
ated with a health insurance plan. 

That cyber HMO plan would give the insured access to a vast network of cyberse- 
curity vendors and professionals at discounted rates that could be called upon in the 
event of a problem (the “co-pays” and “co-insurance” equivalents). 

The cyber HMO plans would also provide low-cost or even free access to basic 
“cyber hygiene” care, such as routine diagnostic examination of information tech- 
nology systems, perimeter defense systems, and other basic defense systems (the an- 
nual physical and low-cost or free vaccine equivalents). 

More “advanced” defense systems could be subject to a higher co-pay and deduct- 
ible, and companies could even chose to go “out of network” if they choose, but only 
by shouldering more of the cost. 

I firmly believe that this subcommittee should look for ways to support the con- 
cept of a “cyber HMO,” as a model that actively promotes and rewards healthy cyber 
behavior — a Gordian knot that no carrier has been able to untie yet using tradi- 
tional insurance models. That’s a critical piece of the cybersecurity puzzle, as the 
challenge has been how to get companies to engage in effective cybersecurity rather 
than the most easily accessible form of it. 

Best of all, using the cyber HMO model addresses a presumed obstacle to cyber 
insurance: A lack of actuarial data. Through its mere existence, the cyber HMO will 
gather the data needed to assess and underwrite costs. This enables cyber benefits 
to be more finely tuned, benefitting its members and society writ large. 

At the very least, this approach has the benefit of trying to solve the problem at 
hand, not simply forcing a square peg into a round hole. If nothing else, maybe this 
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idea will generate more discussion around trying to take proactive security meas- 
ures. 

One other model I would like to present to the Members of the subcommittee is 
the notion of creating cyber “pools” of insurance. Through risk pooling, companies 
can work together to purchase more insurance than might otherwise be available 
to them while also establishing hard liability limits and sharing cyber defense re- 
sources. 

Risk pooling mechanisms come in a number of forms, including “risk purchasing” 
and “risk retention” groups. Those groups allow collections of companies (usually 
similarly situated in terms of industry sector) to jointly purchase or create insurance 
coverage that would otherwise be unavailable or excessively expensive. 

Such pools have been around for some time, and discussions with respect to uti- 
lizing them in the context of cyber threats are picking up steam. Where companies 
can take true advantage of these mechanisms is to layer in additional risk mitiga- 
tion tools such as threat information sharing and statutory liability protection. Com- 
bining those aspects could lead to a very powerful collective defense tool. 

Here’s how it can work: 

(1) A group of similarly-situated companies agree to form a risk purchasing or 
retention group in order to obtain cybersecurity insurance. 

(2) The companies agree to use certain security standards or technologies (for 
instance SANS 20 controls, “detonation chambers”, information sharing via 
dedicated “private clouds”, the recent National Institutes of Standards and 
Technologies voluntary cybersecurity framework, etc.) 

(3) The companies then pool their resources either to jointly purchase an exist- 
ing cyber insurance policy or to create a pool of insurance that they would col- 
lectively maintain. 

(4) As part of the agreement, any company that fails to adhere to the security 
standards will be asked to leave the group at the next renewal period. 

This proposal can potentially be extremely valuable to the most vulnerable compa- 
nies, namely small and medium-sized businesses that do not have the resources to 
create their own robust cyber defenses. By pooling both their financial resources to 
buy additional insurance but also their technical capabilities to create a common de- 
fense, this concept will work to strengthen the bonds between businesses and allow 
them to collectively respond to and mitigate otherwise devastating cyber attacks. 

Further, this arrangement also potentially allows more of the insurance funds to 
be used for “first party” losses the company has directly suffered (damaged equip- 
ment, lost data, business interruption, etc.) rather than losses suffered by third par- 
ties. 

The pool arrangement also enables companies to collaborate and establish a base- 
line of security that each would commit to maintaining, and also allows for regular 
reviews to determine what security controls need to be adjusted. The companies 
could even work with public/private partnership resources within the Department 
of Homeland Security and other Federal agencies such as NIST to help them refine 
their programs and policies in order to achieve a greater cyber “maturity” level than 
they might have otherwise reached. 

Another benefit of this pool concept is that the insured group can take advantage 
of the cyber information-sharing platform recently created by the Cyber Information 
Sharing Act. The pools would be prime candidates to benefit from that platform, and 
would likewise make excellent candidates to serve as information-sharing and anal- 
ysis organizations, or “ISAOs,” within the CISA framework. 

The pooling concept gives companies an excellent opportunity to take charge of 
their security profile, and do so in a way that both mitigates the likelihood of a suc- 
cessful attack as well as increase resources to respond to or mitigate losses. Further, 
these pools can serve as an excellent collective effort that can more fully take advan- 
tage ofthe public/private partnership benefits offered through the CISA legislation 
and the ISAO concept. 


CONCLUSION 

Thank you for the opportunity to present my statement to the subcommittee. I 
am happy to answer any question you might have regarding my thoughts. 

Mr. Richmond. With that, I yield back. 

[The statement of Ranking Member Richmond follows:] 



8 


Statement of Ranking Member Cedric L. Richmond 
March 22, 2016 

Unfortunately, businesses and government in America, and across the world, are 
seeing increased levels and frequencies of cyber attacks and the rapidly accelerating 
sophistication of state-sponsored and privately-organized cyber criminals. Over the 
past few years, this subcommittee has conducted Government oversight and pro- 
duced legislative initiatives and worked diligently to provide the Department of 
Homeland Security and other Federal agencies, with the tools it needs to protect 
our systems and databases, and encourage the participation of private industry both 
in the critical infrastructure sector and for information sharing. 

Today, we are going to hear from private industry, and a representative of their 
State insurance regulatory Commissioners about cyber insurance. While, the full 
committee, and particularly this subcommittee, has no oversight or legislative juris- 
diction over the cyber insurance activities of these actors and sectors, we do have 
an interest in how they are doing. 

The statistics are familiar to us all, the percentage of U.S. critical infrastructure 
assets owned by private-sector firms is estimated to be somewhere in the neighbor- 
hood of 85 percent. The way these assets are operated and managed has vastly 
changed over the last few decades due to the impact of the digital revolution related 
to computer-based information systems. These changes have increased the efficiency 
associated with using our infrastructure assets. 

The digital revolution, however, has also created serious risks to the Nation’s crit- 
ical infrastructure due to actual and potential cybersecurity breaches. As noted by 
President Obama in his Executive Order on Cybersecurity, February 12, 2013: Re- 
peated cyber intrusions into critical infrastructure demonstrate the need for im- 
proved cybersecurity. The cyber threat to critical infrastructure continues to grow 
and represents one of the most serious National security challenges we must con- 
front. 

Last year set a high bar for the size and scope of data breaches, led by the theft 
of over 20 million Government background checks, and with that high bar, an in- 
creasing interest in how State and local governments, and businesses large and 
small, can manage their risks and vulnerabilities when they operate in cyber space. 

For example, recently on a panel on “lessons learned” from real-world chief infor- 
mation security officers, the University of Virginia’s Randy Marchany explained that 
the increased and sophistication of the level of today’s cyber threats forces him to 
assume that hackers already have access to his network, and the best he can do 
is to monitor for when the latent threat becomes active. 

With that said, let’s cut to the chase — what would a cyber insurance policy look 
like if an experienced chief information security officer, or CISO, of a company or 
municipal government came to your insurance company with the proposition that 
it is likely that his systems had already been hacked and the malware was likely 
dormant, but he wanted to purchase insurance from you as to mitigation and reper- 
cussions? 

Or, to complicate things even more, and introduce the well-known “moral hazard” 
consideration that accompanies any insurance policy — what if a hypothetical CISO 
knew he had been hacked, but wasn’t telling you or anyone else, and he knew or 
suspected the hack or intrusion was lying dormant and would activate at some later 
date? I am not the first to pose these kinds of questions, and these are questions 
I am sure all of us have had, if you contemplate the issue of cyber insurance at all. 

But these are worst-case scenarios. Going forward, cyber insurance can play a key 
role in helping businesses, especially small and mid-sized business, to assess their 
cybersecurity posture and readiness, and their ability to be resilient and recover 
from anticipated cyber threats and attacks. We are engaged in an exceptionally com- 
plex and nuanced policy arena. I am especially interested to see how the States will 
handle the regulatory responsibilities that surround cyber insurance, and how the 
States can serve as incubators for innovative solutions to the National, inter- 
national, and industry-wide challenge of cybersecurity for our Nation’s businesses 
and Government agencies. 

Mr. Ratcliffe. I thank the gentleman. Other Members of the 
committee are reminded that opening statements may be sub- 
mitted for the record. 

[The statement of Ranking Member Thompson follows:] 
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Statement of Ranking Member Bennie G. Thompson 
February 25, 2016 

Cyber insurance is a way to share risks so when a cyber data breach event occurs, 
the insured company receives a payment to compensate for the losses. 

The analysis of data breach claims helps cyber insurance companies estimate the 
probability of a breach and the likely losses that can be covered. 

A cyber insurance company might use this experience to recommend cybersecurity 
improvements to companies it insures. 

Some suggest that cyber insurance companies can gather detailed, technical infor- 
mation on breaches and use this knowledge to prevent future breaches at other cli- 
ents. 

Others have had the idea to create insurance “pools” for use by smaller and mid- 
sized businesses, in certain sectors, which could then collectively purchase a cyber 
insurance policy. There are lots of innovative ideas on the table. 

Over the past 7 years, President Obama has been very involved on the issue of 
protecting critical infrastructure. In 2013, the President issued Executive Order 
13636, “Improving Critical Infrastructure Cybersecurity”. 

The Executive Order called for, what we now know as, the NIST Cybersecurity 
Framework, developed by the Department of Commerce’s National Institute of 
Standards and Technology. 

It is a set of voluntary industry standards and best practices to help companies 
and entities manage cybersecurity risks, and it has become a central tenant of the 
idea that cybersecurity insurance might be possible in the real world. 

We have been told the cybersecurity insurance market is growing at 30% a year 
by some estimates, and brokers and underwriters alike agree that mid-size and 
small businesses are the next sector of business to see a wide-spread adoption of 
cyber insurance. 

I know I hear from many of the main-street businesses in my District when I hold 
meetings on cyber — that many are struggling with their cybersecurity efforts. They 
lack the resources, the time, and the expertise to address this issue. 

And I imagine they will have a more difficult time qualifying for cyber insurance. 
I look forward to the testimony today on this complex and necessary component of 
cyber and information security. 

Mr. Ratcliffe. We are pleased to have with us today an incred- 
ibly distinguished panel of witnesses on this very important topic. 
Mr. Matthew McCabe is the senior vice president for network secu- 
rity and data privacy at Marsh FINRPO. Welcome, and as a former 
counsel to the Committee on Homeland Security, maybe I should 
say welcome back. 

Commissioner Adam Hamm is the North Dakota insurance com- 
missioner and is testifying on behalf of the National Association of 
Insurance Commissioners. Commissioner Hamm, thank you for 
being with us here today. 

Mr. Daniel Nutkis is the chief executive officer for the Health In- 
formation Trust Alliance. We appreciate you coming all the way 
from the great State of Texas to be with us this morning. 

Last but not least, Mr. Tom Finan is the chief strategy officer at 
Ark Network Security Solutions, and is also a former Department 
of Homeland Security official. We welcome you back as well. 

I now ask the witnesses to stand and raise your right hand so 
that I can swear you in to testify. 

[Witnesses sworn.] 

Mr. Ratcliffe. Let the record reflect that the witnesses have an- 
swered in the affirmative. The witnesses’ full written statements 
will appear in the record. 

The Chair now recognizes Mr. McCabe for his opening statement. 
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STATEMENT OF MATT H EW P. McCABE, SENIOR VICE PRESI- 
DENT, NETWORK SECURITY AND DATA PRIVACY, MARSH 

FINRPO 

Mr. McCabe. Thank you. Good morning, Chairman Ratcliffe, 
Ranking Member Richmond, and Members of the subcommittee. 
My name is Matthew McCabe, and I am a senior adviser for 
Marsh, which is the global leader in risk management and insur- 
ance brokering. 

Every day around the world. Marsh advisers work with clients 
to quantify and manage risk. Today, our prayers are certainly with 
our colleagues in Brussels and, of course, with all the citizenry in 
the wake of those terrible attacks. 

My testimony today focuses on how Marsh helps clients manage 
risk through cyber insurance. Broadly stated, there are 3 core com- 
ponents. First, a policy can pay costs to respond to a cyber incident. 
These can be items like forensics, data breach notification and 
credit monitoring, restoring corrupted data, or even a cyber extor- 
tion demand. 

Second, cyber insurance will cover fees and damages that arise 
from litigation triggered by a cyber incident. Third, cyber insurance 
reimburses revenue lost or expenses incurred from disruption of 
network operations. However, the benefits of coverage are not sim- 
ply financial. Cyber insurance actually can strengthen an organiza- 
tion’s cyber preparedness. 

As a threshold matter, as the Chairman recognized, applying for 
coverage requires an assessment. Underwriters scrutinize practices 
such as perimeter defenses, incident response plans, patching soft- 
ware, access privileges, and network monitoring before issuing a 
policy. In that assessment, we will help determine the premium 
which incentivizes better practices. Once coverage is bound, teth- 
ered to that coverage are vendor services such as threat assess- 
ment and vulnerability scanning. 

Most prominently, cyber insurance supports incident response 
plans by providing services like forensics, legal analysis, fraud miti- 
gation, and crisis management. This feature can be especially valu- 
able for small and mid-size businesses that may lack resources to 
carry their own incident response plans. Notably, research indi- 
cates that nearly 60 percent of cyber attacks target small and mid- 
size businesses. 

Interest in cyber insurance is robust and climbing. In 2015, the 
number of U.S. -based Marsh clients purchasing cyber insurance in- 
creased 27 percent when compared to 2014. That 27 percent num- 
ber follows a 32 percent increase in the prior year, and a 21 per- 
cent increase in the year before. Currently, cyber insurance pur- 
chasing remains dominated by industries that aggregate customer 
data, personally identifiable information. 

But purchasing is climbing for industries with less data, but 
which have a significant exposure for network disruptions. Typical 
industries that can serve as examples would be electric utilities 
and manufacturers. So this trend signals that more companies see 
a growing exposure from cyber physical systems where operational 
technology is remotely controlled via an internet connection. 

Marsh and McLennan recently considered this exposure in a re- 
port titled “Cyber Resiliency in the Fourth Industrial Revolution,” 
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which it co-authored with FireEye and Hewlett Packard Enter- 
prise. The report examines how cyher threats are morphing into a 
realm of physical assets and critical infrastructure. With the esca- 
lation of attacks and increased connectivity of devices, there is a 
clear need for critical infrastructure companies to become more re- 
silient to cyber attacks. 

The report concludes that one key for building cyber resiliency is 
to have distinct cyber risk advisers, such as threat intelligence, fo- 
rensic assessment, systems architecture, and risk transfer, provide 
an integrated strategy. They will ask questions as what are your 
most critical assets? Who are the bad actors targeting your net- 
work? What does your on-line activity signal to the hackers out 
there? The responses to those questions will yield data, and that 
data should inform every asset of cyber risk management. 

For the same rationale. Marsh has participated and supports the 
DHS Cyber Incident Data Analysis Working Group. The insurance 
industry is data-intensive, and advising clients relies on our ability 
to model the likelihood and severity of events. In fact, the strength 
of our industry is its emergence as a leader in cyber incident anal- 
ysis. So we believe the repository could have several uses, including 
strengthening underwriting, developing new products to close gaps 
in coverage, and could support metrics around information sharing 
and detecting threats. 

In conclusion, cyber risk management depends on our ability to 
quantify risk and provide analytics that support action items. 
Thank you, and I look forward to answering any questions that you 
might have. 

[The prepared statement of Mr. McCabe follows:] 

Prepared Statement of Matthew P. McCabe 
March 22, 2016 

INTRODUCTION 

Good morning Chairman Ratcliffe, Ranking Member Richmond, and Members of 
the subcommittee. My name is Matthew McCabe, and I am a senior advisory spe- 
cialist in the field of cyber insurance broking for Marsh. My testimony today will 
focus on defining the product of cyber insurance, explaining how it supports resil- 
iency to defend against cyber threats, and how analysis of data related to cyber inci- 
dents supports the industry. I am grateful for the opportunity to participate in this 
important hearing. 

Marsh & McLennan operates through 4 market-leading brands — Marsh, Guy Car- 
penter, Mercer, and Oliver Wyman. Each organization provides advice to clients 
across an array of industries in the areas of risk, strategy, and human capital. As 
the leading insurance broker in the world, Marsh has a unique perspective on the 
cyber insurance market. 

Marsh’s role is to work with clients to analyze their risk exposures and, where 
appropriate, help our clients implement solutions to address and mitigate the finan- 
cial impact of a cyber incident. 

Over the past decade, our Nation has witnessed an astonishing evolution of cyber 
risk that continues to grow in size and sophistication. It was aptly described by 
President Barack Obama as “one of the great paradoxes of our Information Age — 
the very technologies that empower us to do great good can also be used by adver- 
saries to inflict great harm.” Technically-sophisticated actors have the opportunity 
to carry out attacks at a relatively low cost, and they do so repeatedly by frustrating 
attribution or enjoying the protection of a jurisdiction where the ability to extradite 
or prosecute bad actors remains evasive. 

That paradigm resulted in an epic crime wave, with enormous consequences for 
our clients. Companies have lost hundreds of millions of customer records, suffered 



12 


rampant pilfering of intellectual property and endured the theft of funds and sen- 
sitive financial information. 

Many metaphors have been invoked to describe this phenomenon. Is this an epi- 
demic? Is this the modern-day risk of catastrophic fire? My preference is piracy. 
Simply put, a new generation of raiders committed to plunder have taken to the vir- 
tual high seas. These raiders may enjoy tacit or direct support of a nation-state. Vic- 
timized merchants expect their government to address this menace and are consid- 
ering how they can pursue their own recourse. However, even that metaphor has 
come full circle. This week, security experts found that actual pirates have been 
hacking into a global shipping company in order to target specific ships with the 
most valuable cargo. There is no company or industry that is not affected by cyber 
risk. 

For this committee, the paramount concern is that cyber threats have now un- 
questionably escalated into a genuine threat against the homeland. The growing 
prominence of cyber physical systems — where operational technology connections be- 
come increasingly accessible through the internet — gives rise to an escalated risk to 
the control physical processes. The threat to U.S. critical infrastructure arising from 
the exposure of cyber physical systems has quickly morphed from speculative, to ru- 
mored, and now actual events. Recent examples include the 2013 attack against a 
New York dam, last year’s attack against a Ukrainian electric utility and railways, 
and purportedly a recent threat against a South Korean rail system. In short, the 
stakes in this game have risen quickly. 

Marsh & McLennan recently considered this challenge in a report titled “Cyber 
Resiliency in the Fourth Industrial Revolution”, which it co-authored with FireEye 
and Hewlett Packard Enterprises. (See Appendix A.) As noted in the report, with 
most experts predicting that the number of internet-connected devices will eclipse 
30 million by 2020, there will be a broad expansion of the attack surface against 
critical infrastructure. Realizing that this boom in connectivity must be met with 
a better approach for securing the backbone systems that support critical infrastruc- 
ture, the authors considered the challenge of how the private sector can develop 
greater resiliency in the face of cyber threats. 

Our conclusion is that cyber-risk advisers must come together to create a unified 
approach for building cyber resiliency of these systems. Much like the NIST Frame- 
work presents a process for end-to-end assessment, the different disciplines of cyber- 
risk management must coalesce into an integrated solution. Each stage of cyber risk 
advising should inform and reinforce the others. Thus, cyber insurance should not 
be viewed as a stand-alone solution; it is instead a key component of cyber-risk 
management around which experts can coalesce and which can provide strong mar- 
ket incentives to pursue greater security. 

The many benefits of cyber insurance are apparent to the private sector. The 
number of Marsh U.S. -based clients purchasing stand-alone cyber insurance in- 
creased 27% in 2015 compared with 2014. That followed a 32% increase of clients 
purchasing cyber insurance in 2014 over 2013, and a 21% increase from 2012 to 
2013. This purchasing is supported by more than 50 carriers from around the world 
that potentially can provide more than $500 million in capacity. 

Because of the incessant stream of data breaches that have targeted U.S. compa- 
nies, purchasing is dominated by industries that aggregate customer data, such as 
retailers, financial institutions, and health care providers. However, take-up rates 
are climbing for industries with small amounts of data but that are exposed to sig- 
nificant risk of network outage, such as electric utilities or manufacturers. In short, 
the sharp increase in cyber insurance purchasing has increased rapidly and con- 
tinues its growth as a vital part of risk-based cybersecurity management strategies. 

THE VALUE OF CYBER INSURANCE 

Broadly stated, there are 3 core components of cyber insurance. First, cyber insur- 
ance will reimburse the costs that a company pays to respond to a cyber incident. 
These expenses may come in the form of complying with requirements to notify and 
protect affected individuals in the wake of a data breach; paying the expense to 
recreate corrupted or destroyed data; or even paying the demand of an extortionist. 
Second, cyber insurance covers the fees and damages that a company may pay in 
response to litigation resulting from a cyber incident. Third, cyber insurance reim- 
burses revenues lost or expenses incurred due to a disruption related to a cyber inci- 
dent. 


^See [sic] (accessible ai http:! lwww.verizonenterprise.com /resources I reports Irp data-breach- 

digest_xg_en.pdf). 
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However, the benefits of cyber insurance extend far beyond reimbursement for fi- 
nancial loss. Cyber insurance has evolved into a product that serves as a key 
touchpoint for an organization to assess its cyber practices and coordinate its inci- 
dent response plan to cyber incidents. The Department of Commerce Internet Policy 
Task Force recently commented that cybersecurity insurance is potentially an “effec- 
tive, market-driven way” of increasing cybersecurity in the private sector. 

For demonstrative purposes, the benefits attached to cyber insurance can be ex- 
plained in the context of the NIST Cybersecurity Framework by mapping the com- 
ponents of a policy to the five cybersecurity domains proposed in the Framework: 
Assessment, prevention, detection, response, and recover. 

As a threshold matter, the very act of appl 3 dng for insurance forces an assessment 
of the applicant’s cyber practices. The underwriting process will scrutinize a com- 
pany’s technical defenses, incident response plan, procedures for patching software, 
policies for limiting access to data and systems, monitoring of the vendor network 
and more. Applying for cyber insurance is therefore an important risk mitigation 
tool. Further, carriers assess the applicant’s security practices and provide pre- 
miums based on their interpretation. Thus, cyber insurance premiums provide an 
important incentive that drives behavioral change in the marketplace. 

Once a cyber insurance program is implemented, the insured can avail themselves 
of services and solutions to further mitigate cyber risk and strengthen cyber hy- 
giene. The insurance marketplace thereby enhances access to detection and mitiga- 
tion solutions and the large network of vendors that provide threat intelligence, vul- 
nerability scanning, system configuration analysis, and technology to block mali- 
cious signatures. 

Most prominently, cyber insurance can support an organization’s incident re- 
sponse plans. In the example of a data breach, most cyber insurance policies provide 
the services needed to respond to breaches, including forensics to determine what 
customer records have been compromised, legal analysis of the insured’s responsibil- 
ities, notification to affected individuals, and credit monitoring and restoration to 
protect its customers. A well-executed response plan will actually reduce the overall 
cost of a data breach and avoid many of the problems that may later surface in re- 
sulting litigation or regulatory scrutiny. These services can be especially valuable 
for small- and mid-size enterprises that will require a cyber incident response plan, 
but lack the resources to implement one on their own. 

In short, using market-driven incentives, cyber insurance serves to build greater 
resiliency within the private sector. This can be especially critical for small- and 
mid-size businesses that would experience a significant financial burden to retain 
and execute all of these services own their own. Notably, recent research indicates 
that as many as 60% of cyber attacks target small- and mid-size businesses.^ With 
cyber insurance, these businesses can rely on experienced cyber security vendors in 
the wake of a cyber incident and respond and recover more quickly from the inci- 
dent. 


THE ROLE OF DATA ANALYSIS 

As this committee has recognized through its important work to pass legislation 
on the sharing of cyber threat indicators, enhanced information sharing between in- 
dustry and Government is an important component of a comprehensive risk mitiga- 
tion strategy. For this purpose. Marsh has participated in and supported the De- 
partment of Homeland Security’s (DHS) Cyber Incident Data Analysis Working 
Group, and, prior to that. Cyber Insurance Workshops conducted by DHS. 

As the committee is aware, the insurance industry is data-intensive. There are 
both internal and external drivers for strong modeling to enable more accurate fore- 
casting for the likelihood and severity of events. As a rule of thumb, better data 
leads to better decisions. For this reason. Marsh has participated in the DHS work- 
ing groups that have proposed the creation of a repository that would collect 
anonymized data to track cyber incidents. 

Importantly, the committee should not interpret the desire to collect more actu- 
arial data or to strengthen modeling as an indication that the cyber insurance in- 
dustry is currently without tether to a strong appreciation of the underlying risk. 
One strength of the cyber insurance industry is that the underwriting process gen- 
erates data on threats, vulnerabilities, and potential consequences for each appli- 
cant. Indeed, the cyber insurance industry has risen to become a leader in incident 
analysis for informing trends in cyber threats and correlate best practices with the 
amount of loss. 


^See Symantec Internet Security Report 2014 (accessible at http:! jwww.symantec.com! 
content Jen jus! enterprise i other resources / b-istr main report vl9 21291018.en-us.pdf). 
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However, a centralized repository could offer several benefits to both Government 
and industry. As proposed, the data repository would provide a centralized platform 
to share the information that many companies retain about hacking activity. 

Making this data available centrally can inform analysis of long-term trends for 
insight into the effectiveness of security practices. For example, companies, carriers, 
and regulators could potentially analyze whether certain security protocols or prac- 
tices have effectively mitigated cyber risk. For example. Government and industry 
could undertake an analysis as to whether organizations that have implemented 
cyber practices using the NIST Framework have proven more resilient in with- 
standing cyber attacks. Further, in the wake of the recent passage of information- 
sharing legislation. Government, and industry, could explore whether the greater 
availability of cyber threat indicators has enabled organizations to fend off malevo- 
lent actors. 

From the perspective of Government, analyzing the successes and challenges re- 
lated to cyber risk strategies could provide a basis for shaping future Federal policy. 
Increasingly, network systems tie together an ever broader and more sophisticated 
global supply chain, yielding greater complexity and more latent risk. Accordingly, 
any new requirement for protecting supply chains should be founded in data anal- 
ysis and consider potential consequences of regulations on the marketplace and the 
likelihood for accomplishing intended security goals. 

From the perspective of the insurance industry, the greater availability of cyber 
incident data to strengthen underwriting may also facilitate market forces to ad- 
dress current and future risks, and eventually encourage further carrier participa- 
tion. Better data could also enable the insurance industry to introduce solutions to 
close gaps in current coverages and to determine how to best to detect and mitigate 
future incidents, or to reduce incident response times and facilitate recovery. 

Thank you for allowing me to present this testimony. I am happy to take your 
questions.® 

Mr. Ratcliffe. Thank you, Mr. McCabe. The Chair now recog- 
nizes Commissioner Hamm for his opening statement. 

STATEMENT OF ADAM W. HAMM, COMMISSIONER, NATIONAL 
ASSOCIATION OF INSURANCE COMMISSIONERS 

Mr. Hamm. Good morning, Chairman Ratcliffe, Ranking Member 
Richmond, and Members of the committee. Thank you very much 
for the opportunity to testify today. 

So to begin. State insurance regulators are keenly aware of the 
potentially devastating effects that cyber attacks can have, and we 
have taken a number of steps to enhance data security expecta- 
tions across the insurance sector. We understand the pressure 
these increased risks put on other industries, creating unprece- 
dented demand for products to manage and mitigate some of their 
cybersecurity risks through insurance. 

Most businesses carry commercial insurance policies, but may 
not realize cybersecurity risks are not covered. To cover these 
unique risks, businesses need to purchase a special, customized cy- 
bersecurity policy. My written testimony details the structure of fi- 
nancial and market regulation for U.S. insurers writing these types 
of policies. 

Ours is a Nationally-coordinated, State-based system that relies 
on extensive peer review, communication, and collaboration among 
regulators to produce checks and balances in oversight, always 
with the fundamental tenet of protecting policy holders by ensuring 
that companies are solvent and can pay claims when they come 
due. 


^Appendix to Marsh & McLennan Companies Testimony A. Report: “Cyber Resiliency in the 
Fourth Industrial Revolution” is available at: http: 1 1 info.resilientsystems.com I ponemon-insti- 

tute-study-the-cyber-resilient-organization-ppc?utm campaign=CyberResiliencePonemonReport- 

&utm source=google&utm medium=cpc&gclid=CP3F2Lf61MsCFRNahgodl98LrA. 
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When it comes to regulation, cybersecurity policies are scruti- 
nized just as closely as other insurance contracts. Their complexity 
and new product language will present some novel issues, but pol- 
icy forms and rates are still subject to review to ensure the con- 
tracts are reasonable and not contrary to State laws. We also have 
market conduct authorities to examine insurers and policies, as 
well as strong enforcement powers. 

Cybersecurity risk remains difficult for insurance underwriters to 
quantify, due in large part to a lack of actuarial data. Today, in the 
absence of that data, insurers compensate by pricing that relies on 
qualitative assessments of an applicant’s operations, vendors, risk 
management procedures, and security culture. As a result, the poli- 
cies for cyber risk tend to be more customized than others, and 
therefore more costly. 

From a regulatory perspective, we would like to see these quali- 
tative assessments coupled with a more robust actuarial data sys- 
tem based on actual incident experience. As it is still developing, 
accurately assessing the exposure or the size of the cybersecurity 
insurance market is a work in progress. That is why the NAIC has 
developed a new mandatory data supplement. This supplement re- 
quires all insurance carriers, writing either identity theft insurance 
or cybersecurity insurance, to report on their claims, premiums, 
losses, expenses, and in-force policies in these areas. 

With this data, regulators will be able to more definitively report 
on the size of the market and identify trends that will inform 
whether more tailored regulation is necessary. As with any new re- 
quirement, we expect that the terminology and reporting will ma- 
ture over time. 

State insurance regulators are also ramping up our efforts to 
tackle other cybersecurity issues and reduce risk in the insurance 
sector through a number of initiatives. In the past year, the NAIC 
has adopted 12 principles for effective cybersecurity, a roadmap for 
consumer cybersecurity protections, updated guidance for exam- 
iners regarding IT systems and protocols. Most recently, we ex- 
posed for public comment a new insurance data security model law. 
We have done all of this through the NATO’s open and transparent 
process, and we continue to welcome all stakeholder input on these 
projects. 

The expansion of cyber risks and the growth of the cybersecurity 
insurance market are a tremendous opportunity for the insurance 
sector to lead in the development of cyber hygiene across our Na- 
tional infrastructure. Insurance has a long history of driving both 
best practices and standardization. It creates economic incentives 
through the pricing of products, and the underwriting process can 
test risk management techniques and encourage policy holders to 
make their businesses more secure. 

As insurers develop more sophisticated tools for underwriting 
and pricing. State regulators will continue to monitor and study cy- 
bersecurity products, always remembering that our fundamental 
commitment is to ensuring that policy holders are protected and 
treated fairly by financially sound insurance companies. 

In conclusion. State insurance regulators remain extensively en- 
gaged to promote an optimal regulatory framework, and cybersecu- 
rity insurance is no exception. I want to thank you again. Chair- 
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man Ratcliffe, for the opportunity to testify today, and I look for- 
ward to answering your questions. 

[The prepared statement of Mr. Hamm follows:] 

Prepared Statement of Adam W. Hamm 
March 22, 2016 

INTRODUCTION 

Chairman Ratcliffe, Ranking Member Richmond, and Members of the sub- 
committee, thank you for the invitation to testify today. My name is Adam Hamm. 
I am the commissioner of the Insurance Department for the State of North Dakota 
and I present today’s testimony on behalf of the National Association of Insurance 
Commissioners (NAIC).i I am a past president of the NAIC, and I have served as 
the chair of the NAIC’s Cybersecurity Task Force since its formation in 2014.^ On 
behalf of my fellow State insurance regulators, I appreciate the opportunity to offer 
our views and perspective on cybersecurity challenges facing our Nation and the 
role cybersecurity insurance can play in risk management. 

THE CYBER THREAT LANDSCAPE CREATES DEMAND FOR COVERAGE 

On one hand, threats to data privacy are not new for businesses, regulators, or 
the consumers we protect. Regulators and legislatures have required businesses to 
protect consumer data for decades. On the other hand, the modern size, scale, and 
methods of data collection, transmission, and storage all present new challenges. As 
society becomes more reliant on electronic communication and businesses collect and 
maintain ever more granular information about their customers in an effort to serve 
them better, the opportunity for bad actors to inflict damage on businesses and the 
public increases exponentially. Rather than walking into a bank, demanding bags 
of cash from a teller, and planning a speedy getaway, a modern thief can steal high- 
ly-sensitive personal health and financial data with a few quick keystrokes or a well 
disguised phishing attack from the comfort of his basement couch. Nation states 
also place great value on acquiring data to either better understand or disrupt U.S. 
markets, and are dedicating tremendous resources to such efforts. 

As these cyber threats continue to evolve, they will invariably affect consumers 
in all States and territories. State insurance regulators are keenly aware of the po- 
tential devastating effects cyber attacks can have on businesses and consumers, and 
we have taken a number of steps to enhance data security expectations across the 
insurance sector, including at our own departments of insurance and at the NAIC. 
We also understand the pressure these increased risks are putting on other indus- 
tries, creating unprecedented demand for products that allow purchasers to manage 
and mitigate some of their cybersecurity risks through insurance. Whether attacks 
come from nation states, terrorists, criminals, hacktivists, external opportunists or 
company insiders, with each announcement of a system failure leading to a signifi- 
cant business loss, awareness grows, and companies will seek additional coverage 
for security breaches, business interruptions, reputational damage, theft of digital 
assets, customer notifications, regulatory compliance costs, and many more liabil- 
ities that arise from doing business in the modern connected universe. 

Most businesses carry and are familiar with their commercial insurance policies 
providing general liability coverage to protect the business from injury or property 
damage. What they may not realize is that most standard commercial lines policies 
do not cover many of the cyber risks mentioned above. To cover these unique cyber 
risks through insurance, businesses need to purchase a special cybersecurity policy. 

I want to urge some caution regarding the term “cybersecurity policy” because it 
can mean so many different things — while it is a useful short-hand for purposes of 
today’s conversation, I want to remind the committee that until we see more stand- 
ardization in the marketplace, a “cybersecurity policy” will really be defined by what 
triggers the particular policy and what types of coverage may or may not be in- 
cluded depending on the purchaser and insurer. Commercial insurance policies are 


^The NAIC is the United States standard-setting and regulatory support organization created 
and governed by the chief insurance regulators from the 50 States, the District of Columbia, 
and 5 U.S. territories. Through the NAIC, we establish standards and best practices, conduct 
peer review, and coordinate our regulatory oversight. NAIC members, together with the central 
resources of the NAIC, form the National system of State-based insurance regulation in the 
United States. 

2 Attachment A — NAIC Cybersecurity fEX) Task Force Membership List. 
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contracts between 2 or more parties, subject to a certain amount of customization, 
so if you’ve seen 1 cybersecurity policy, you’ve seen exactly 1 cybersecurity policy. 

All these nuances mean securing a cybersecurity policy is not as simple as pulling 
something off the shelf and walking to the cash register. Insurers writing this cov- 
erage are justifiahly interested in the risk-management techniques applied by the 
policy holder to protect its network and its assets. The more an insurer knows about 
a business’s operations, structures, risks, history of cyber attacks, and security cul- 
ture, the better it will be able to design a product that meets the client’s need and 
satisfies regulators. 

INSURANCE REGULATION IN THE UNITED STATES — “COPS ON THE BEAT” 

The U.S. insurance industry has been well-regulated at the State level for nearly 
150 years. Every State has an insurance commissioner responsible for regulating 
that State’s insurance market, and commissioners have been coming together to co- 
ordinate and streamline their activities through the NAIC since 1871. The North 
Dakota Insurance Department, which I lead, was established in 1889 and employs 
approximately 50 full-time staff members to serve policy holders across our State. 
It is our job to license companies and agents that sell products in our State, as well 
as to enforce the State insurance code with the primary mission of ensuring sol- 
vency and protecting policy holders, claimants, and beneficiaries, while also fos- 
tering an effective and efficient marketplace for insurance products. The strength 
of our State-based system became especially evident during the financial crisis — 
while hundreds of banks failed and people were forced from their homes, less than 
20 insurers became insolvent and even then, policy holders were paid when their 
claims came due. 

Conceptually, insurance regulation in the United States is straightforward. Amer- 
icans expect insurers to be financially solvent, and thus able to make good on the 
promises they have made. Americans also want insurers who treat policy holders 
and claimants fairly, paying claims when they come due. In practice, the regulation 
of an increasingly complex insurance industry facing constantly-changing risks and 
developing new products to meet risk-transfer demand becomes challenging very 
quickly. The U.S. State-based insurance regulatory system is unique in that it relies 
on an extensive system of peer review, communication, and collaboration to produce 
checks and balances in our regulatory oversight of the market. This, in combination 
with our risk-focused approach to financial and market conduct regulation, forms 
the foundation of our system for all insurance products in the United States, includ- 
ing the cybersecurity products we are here to discuss today. 

Treasury Deputy Secretary Sarah Bloom Raskin stated at an NAIC/CSIS event 
last fall that “State insurance regulators are the cops on the beat when it comes 
to cybersecurity at insurance companies and the protection of sensitive information 
of applicants and policy holders.” We take very seriously our responsibility to ensure 
the entities we regulate are both adequately protecting customer data and properly 
underwriting the products they sell, and we continue to convey the message to in- 
surance company C-suites that cybersecurity is not an IT issue — it is an Enterprise 
Risk Management Issue, a board of directors issue, and ultimately a CEO issue. 

REGULATION OF CYBERSECURITY POLICIES 

Having discussed increasing demand for coverage, we can turn to the role my fel- 
low insurance commissioners and I play as regulators of the product and its car- 
riers. Let me start by putting you at ease: When it comes to regulation, cybersecu- 
rity policies are scrutinized just as rigorously as other insurance contracts. While 
they may be more complex than many existing coverages and new product language 
will present some novel issues, when insurers draft a cybersecurity policy, they are 
still required to file forms and rates subject to review by the State Department of 
Insurance. State insurance regulators review the language in the contracts to en- 
sure they are reasonable and not contrary to State laws. We also review the pricing 
and evaluate the benefits we expect to find in such policies. State regulators also 
retain market conduct authorities with respect to examinations of these insurers 
and policies in order to protect policy holders by taking enforcement measures 
against bad actors. 

Insurance regulation involves front-end, on-going, and back-end monitoring of in- 
surers, products, and insurance agents (or producers). The system’s fundamental 
tenet is to protect policy holders by ensuring the solvency of the insurer and its abil- 
ity to pay claims. Strict standards and keen financial oversight are critical compo- 
nents of our solvency framework. State regulators review insurers’ material trans- 
actions for approval, restrict key activities, have explicit financial requirements, and 
monitor compliance and financial condition through various solvency surveillance 



18 


and examination mechanisms, some of which we recently updated to incorporate cy- 
bersecurity controls. We can also take corrective action on insurers when necessary 
through a regulatory intervention process. 

Financial Regulation 

Financial regulation is focused on preventing, detecting, and resolving potentially 
troubled insurers. Insurance regulators carefully monitor insurers’ capital, surplus, 
and transactions on an on-going basis through financial analysis, reporting require- 
ments, actuarial opinions, and cash flow testing. State insurance laws also restrict 
insurers’ investments and impose capital and reserving requirements. 

The monitoring of insurers is done through both on-site examinations and anal- 
ysis of detailed periodic insurer reporting and disclosures. Insurers are required to 
prepare comprehensive financial statements using the NAIC’s Statutory Accounting 
Principles (SAP). SAP utilizes the framework established by Generally Accepted Ac- 
counting Principles (GAAP), but unlike GAAP which is primarily designed to pro- 
vide key information to investors of public companies and uses a going-concern con- 
cept, SAP is specifically designed to assist regulators in monitoring the solvency of 
an insurer. The NAIC’s Accounting Practices and Procedures Manual includes the 
entire codification of SAP and serves as the consistent baseline accounting require- 
ment for all States. Each insurer’s statutory financial statements are filed with the 
NAIC on a quarterly and annual basis and include a balance sheet, an income state- 
ment, and numerous required schedules and exhibits of additional detailed informa- 
tion. 

The NAIC serves as the central repository for an insurer’s financial statement 
data, including running automated prioritization indicators and sophisticated anal- 
ysis techniques enabling regulators around the country to have access to National- 
level data without the redundancy of reproducing this resource in every State. This 
centralized data and analysis capability has been cited by the IMF as world-leading. 

Cybersecurity risk remains difficult for insurance underwriters to quantify due in 
large part to a lack of actuarial data. This has potential implications for on-going 
regulation and the market for the product. If a product is priced too low, the insurer 
may not have the financial means to pay claims to the policy holder. If too high, 
few businesses and consumers can afford to purchase it, instead opting to effectively 
self-insure for cyber incidents, limiting the ability of the insurance sector to be used 
as a driver of best practices. Today, in the absence of such data, insurers com- 
pensate by pricing that relies on qualitative assessments of an applicant’s risk man- 
agement procedures and risk culture. As a result, policies for cyber risk tend to be 
more customized than policies for other risks, and, therefore, more costly. The type 
of business operation seeking coverage, the size and scope of operations, the number 
of customers, the presence on the web, the type of data collected, and how the data 
is stored will all be among the factors that dictate the scope and cost of cybersecu- 
rity coverage offered. From a regulatory perspective, though, we would like to see 
insurers couple these qualitative assessments with robust actuarial data based on 
actual incident experience. 

Prior to writing the policy, the insurer will want to see the business’ disaster re- 
sponse plan and evaluate it with respect to network risk management, websites, 
physical assets, intellectual property, and possibly even relationships with third- 
party vendors. The insurer will be keenly interested in how employees, contractors, 
and customers are able to access data systems, how they are trained, and who key 
data owners are. At a minimum, the insurer will want to know about the types of 
antivirus and anti-malware software the business is using, the frequency of system 
and software updates performed by the business, and the performance of the fire- 
walls the business is using. 

Examination Protocols and Recent Updates 

Last year, the NAIC, through a joint project of the Cybersecurity Task Force and 
the IT Examination Working Group, undertook a complete review and update of ex- 
isting IT examination standards for insurers. Prior to this year, regulatory reviews 
of an insurer’s information technology involved a 6-step process for evaluating secu- 
rity controls under the COBIT 5 framework. Revisions for 2016 to further enhance 
examinations are based in part on the NIST framework “set of activities” to Iden- 
tify, Protect, Detect, Respond, and Recover. Specific enhancements were made to the 
NAIC Financial Examiner’s Handbook regarding reviews of insurer cybersecurity 
training and education programs, incident response plans, understanding cybersecu- 
rity roles and responsibilities, post-remediation analyses, consideration of third- 
party vendors, and how cybersecurity efforts are communicated to the Board of Di- 
rectors. 
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Also evolving are regulators’ expectations of insurance company C-suites — specifi- 
cally chief risk officers and boards of directors. Regulators expect improved incident 
response practice exercises, training, communication of cyber risks between the 
board and management, and incorporation of cybersecurity into the Enterprise Risk 
Management processes. There is now an expectation that members of an insurer’s 
board of directors will be able to describe how the company monitors, assesses, and 
responds to information-security risks. 

Market Regulation 

Market regulation is focused on legal and fair treatment of consumers by regula- 
tion of product rates, policy forms, marketing, underwriting, settlement, and pro- 
ducer licensing. Market conduct examinations occur on a routine basis, but also can 
be triggered by complaints against an insurer. These exams review producer licens- 
ing issues, complaints, types of products sold by insurers and producers, producer 
sales practices, compliance with filed rating plans, claims handling and other mar- 
ket-related aspects of an insurer’s operation. When violations are found, the insur- 
ance department makes recommendations to improve the insurer’s operations and 
to bring the company into compliance with State law. In addition, an insurer or in- 
surance producer may be subject to civil penalties or license suspension or revoca- 
tion. To the extent that we see any of these issues arising from claims made on cy- 
bersecurity policies, regulators will be able to address them promptly through our 
suite of market conduct tools, and enhancements made to the Finaneial Examiner’s 
Handbook are expected to be incorporated into the Market Conduct Examiner’s 
Handbook this year. 

Surplus Lines 

It is worth mentioning that some cybersecurity coverage is currently being written 
in the surplus lines markets. A surplus lines policy can be issued only in cases 
where the coverage cannot be found in traditional insurance markets because the 
coverage is unique or otherwise difficult to underwrite. Surplus lines insurers that 
are domiciled in a U.S. State are regulated by their State of domicile for financial 
solvency and market conduct. Surplus lines insurers domiciled outside the United 
States may apply for inclusion in the NAIC’s Quarterly Listing of Alien Insurers. 
The carriers listed on the NAIC Quarterly Listing of Alien Insurers are subject to 
capital and surplus requirements, a requirement to maintain U.S. trust accounts, 
and character, trustworthiness, and integrity requirements. 

In addition, the insurance regulator of the State where the policy holder resides 
(the home State of the insured) has authority over the placement of the insurance 
by a surplus lines broker and enforces the requirements relating to the eligibility 
of the surplus lines carrier to write policies in that State. The insurance regulator 
can also potentially sanction the surplus lines broker, revoke their license, and hold 
them liable for the full amount of the policy. 

Like any other insurance market, as the cybersecurity market grows and more 
companies offer coverage, we anticipate the regulation will continue to evolve to 
meet the size and breadth of the market as well as the needs of consumers. State 
insurance regulators have a long history of carefully monitoring the emergence and 
innovation of new products and coverages, and tailoring regulation over time to en- 
sure consumers are appropriately protected and policies are available. 

CYBERSECURITY INSURANCE MARKET — NEW REPORTING REQUIREMENTS 

As a still nascent market for coverage, accurately assessing exposure or the size 
of the cybersecurity insurance market is a work in progress. To date, the only anal- 
yses of the cybersecurity market come from industry surveys and estimates that 
consistently place the size of the market in the neighborhood of $2-3 billion. In light 
of the uncertainty and many questions surrounding these products and the market, 
the NAIC developed the new Cybersecurity and Identify Theft Coverage Supple- 
ment^ for insurer financial statements to gather financial performance information 
about insurers writing cybersecurity coverage Nation-wide. 

This mandatory new data supplement, to be attached to insurers’ annual financial 
reports, requires that all insurance carriers writing either identity theft insurance 
or cybersecurity insurance report to the NAIC on their claims, premiums, losses, ex- 
penses, and in-force policies in these areas. The supplement requires separate re- 
porting of both stand-alone policies and those that are part of a package policy. With 
this data, regulators will be able to more definitively report on the size of the mar- 
ket, and identify trends that will inform whether more tailored regulation is nec- 
essary. We will gladly submit a follow-up report to the committee once we have re- 


^ Attachment B [This attachment is retained in the committee files]. 
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ceived and analyzed the first batch of company filings, which are due April 1, and 
will keep all stakeholders apprised as we receive additional information. As with 
any new reporting requirement, we expect the terminology and reporting to mature 
over time as carriers better understand the specific information regulators need. 

Having this data will enable regulators to better understand the existing cyberse- 
curity market, and also help us know what to look for as the market continues to 
grow, particularly as we see small and mid-size carriers potentially writing these 
complex products. 

NAIC EFFORTS BEYOND CYBERSECURITY INSURANCE 

The NAIC and State insurance regulators are also ramping up our efforts to tack- 
le cybersecurity issues in the insurance sector well beyond cybersecurity insurance. 
We understand that the insurance industry is a particularly attractive target for 
hackers given the kind of data insurers and producers hold, and to that end we are 
engaged on a number of initiatives to reduce these risks. 

The NAIC adopted 12 Principles for Effective Cybersecurity: Insurance Regulatory 
Guidance in April 2016.“*^ The principles set forth the framework through which reg- 
ulators will evaluate efforts by insurers, producers, and other regulated entities to 
protect consumer information entrusted to them. 

We also adopted an NAIC Roadmap for Consumer Cybersecurity Protections in De- 
cember 2015 to describe protections the NAIC believes consumers should be entitled 
to from insurance companies and agents when these entities collect, maintain, and 
use personal information and to guide our on-going efforts in developing formal reg- 
ulatory guidance for insurance sector participants.® 

Most recently, on March 3, the Cybersecurity Task Force exposed its new Insur- 
ance Data Security Model Law for public comment — written comments should be 
submitted by Wednesday, March 23, and feedback will be discussed at the open 
meeting of the task force on April 4 in New Orleans.® The purpose and intent of 
the model law is to establish the exclusive standards for data security, investigation, 
and notification of a breach applicable to insurance licensees. It lays out definitions 
and expectations for insurance information security, breach response, and the role 
of the regulator. Recognizing that one size does not fit all, the model specifically al- 
lows for licensees to tailor their information security programs depending on the 
size, complexity, nature, and scope of activities, and sensitivity of consumer informa- 
tion to be protected. Perhaps most importantly, the model is intended to create cer- 
tainty and predictability for insurance consumers and licensees as they plan, protect 
information, and respond in the difficult time immediately following a breach. We 
welcome all stakeholders’ input as we continue the model’s development through the 
open and transparent NAIC process. 

Related to the NAIC’s new model, we are aware Congress is considering a number 
of Federal Data Breach bills. While Congress held its first hearings on data 
breaches 20 years ago, there has been no successful legislation on the issue. Mean- 
while, 47 States have acted to varying degrees, and some are on the fourth iteration 
of data security and breach notification laws. Some of these bills, including S. 961/ 
H.R. 2205, the Data Security Act, would lessen existing consumer protections in the 
insurance sector and could undermine our on-going and future efforts to respond to 
this very serious issue. 

COORDINATING WITH OUR FEDERAL COLLEAGUES 

Lastly, we understand that State insurance regulators are not alone in any of our 
efforts. We work collaboratively with other financial regulators, Congress, and the 
administration to identify specific threats and develop strategies to protect the U.S. 
financial infrastructure. State insurance regulators and NAlC staff are active mem- 
bers of the Treasury Department’s Financial Banking and Information Infrastruc- 
ture Committee (FBIIC), where I recently gave a presentation on insurance regu- 
lators’ efforts in this space. 

We are also members of the Cybersecurity Forum for Independent and Executive 
Branch Regulators, where we meet with White House officials and other regulators 
to discuss best practices and common regulatory approaches to cybersecurity chal- 
lenges across very different sectors of the U.S. economy. While we certainly do not 
have all the answers yet, rest assured that regulators are communicating and collec- 
tively focused on improving cybersecurity posture across our sectors. 


^Attachment C [This attachment is retained in the committee files]. 
® Attachment D [This attachment is retained in the committee files]. 
® Attachment E [This attachment is retained in the committee files]. 
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CURRENT STATE OF PLAY 

I recently met with a group of insurance CEOs to discuss the NAIC’s on-going ef- 
forts in data and cybersecurity. Several baseball metaphors were used in the meet- 
ing, so when the discussion pivoted to cyber insurance, I asked how far along they 
felt that market was in its development. One CEO said it was only the top of the 
first inning, and the lead-off batter has just grabbed a bat from the rack before the 
first pitch has even been thrown — the rest of the room nodded in agreement. We 
are on the first leg of a long race when it comes to cybersecurity insurance. 

There is no question that the expansion of cyber risks and the maturation of the 
cybersecurity insurance are a tremendous opportunity for the insurance sector to 
lead in the development of risk-reducing best practices and cyber hygiene across our 
National infrastructure. Insurance has a long history of driving best practices and 
standardization by creating economic incentives through the pricing of products, and 
the underwriting process can test the risk management techniques and efficacy of 
a policy holder making a broader range of businesses secure. As insurers develop 
more sophisticated tools for underwriting and pricing. State regulators will continue 
to monitor and study cybersecurity products, always remembering that our funda- 
mental commitment is to ensuring that policy holders are protected and treated fair- 
ly, and that insurance companies are able to pay claims when they come due. 

CONCLUSION 

As insurance markets evolve, State insurance regulators remain extensively en- 
gaged with all relevant stakeholders to promote an optimal regulatory framework- 
cybersecurity insurance is no exception. As the cybersecurity insurance market de- 
velops, we remain committed to effective regulation and to making changes when 
necessary. State insurance regulators will embrace new challenges posed by a dy- 
namic cybersecurity insurance market and we continue to believe that well-regu- 
lated markets make for well-protected policy holders. Thank you again for the op- 
portunity to be here on behalf of the NAIC, and I look forward to your questions. 
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Mr. Ratcliffe. Thank you, Commissioner Hamm. 

The Chair now recognizes Mr. Nutkis for his opening statement. 

STATEMENT OF DANIEL NUTKIS, CHIEF EXECUTIVE OFFICER, 
HEALTH INFORMATION TRUST ALLIANCE 

Mr. Nutkis. Good morning, Chairman Ratcliffe, Ranking Mem- 
ber Richmond, and the distinguished Members of the sub- 
committee. I am pleased to appear today to discuss the role of 
cyber insurance in risk management, and initiatives underway by 
HITRUST and the health care industry to expand and leverage its 
role. 

I am Dan Nutkis, CEO and founder of the Health Information 
Trust Alliance, or HITRUST. While I prepared my written state- 
ment for the record, I would like to share with you a few of the 
highlights. 

HITRUST helps elevate the health care industry’s cyber aware- 
ness, improve cyber preparedness, and strengthen risk manage- 
ment posture. In particular, I want to point out how cyber insur- 
ance is integral to this process. 

There should be no question as to the significance of managing 
cyber risk, and an organization’s ability to respond efficiently and 
effectively to cybersecurity incidents plays in cyber resilience. To 
aid industry in cyber risk management, threat preparedness, and 
response, HITRUST implemented numerous programs in coordina- 
tion with industry stakeholders, including our risk management 
framework, or HITRUST RMF. 

Our perspective on evolving cybersecurity threats facing the 
health care industry is formed based on our deep engagement with 
the industry around information protection. That engagement in- 
cludes data from over 14,000 security assessments done in 2015 
alone, leveraging the HITRUST RMF, as well as operating the in- 
dustry’s information-sharing and analysis organization, or ISAO, 
and running CyberRX, now in its third year, which is a series of 
industry-wide exercises developed by HITRUST to simulate cyber 
attacks on health care organizations, and evaluate the industry’s 
preparedness against attempts to disrupt U.S. health care industry 
operations. In 2015, over 1,000 organizations participated in 
CyberRX. 

The HITRUST RMF incorporates a risk-based control framework, 
specifically the HITRUST CSF, which is a scalable, prescriptive, 
and certifiable, risk-based information, privacy, and security con- 
trol framework. It provides an integrated, harmonized set of re- 
quirements tailored specifically for the health care industry. The 
HITRUST RMF is adopted by approximately 80 percent of the hos- 
pitals and health plans, making it the most widely adopted in the 
industry. 

Leveraging HITRUST’s knowledge and role in understanding and 
aiding industry in risk management, HITRUST approached Willis 
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Towers Watson, a leading insurance brokerage, to explore ways to 
leverage the HITRUST RMF to allow insurers to better and more 
effectively evaluate cyber risk. HITRUST and Willis established a 
detailed approach to educate and substantiate the value of 
leveraging the HITRUST RMF as the basis for their cyber under- 
writing programs in the health care industry. I have outlined 8 
points in my written testimony that provides details on this ap- 
proach and process. 

Over the last 5 months, HITRUST and Willis have worked to 
educate cyber insurers regarding the use of the HITRUST RMF in 
supporting the cyber risk underwriting process. Insurers have 
found the HITRUST CSF to offer many advantages over the exist- 
ing approaches, including providing a comprehensive and mature 
controls framework, aligning strong controls with risk, and accu- 
rately and consistently measuring residual risk. 

Allied World was the first company to offer preferred terms and 
conditions based on meeting the HITRUST CSF certification stand- 
ards. After review and analysis. Allied World has determined that 
the CSF framework and CSF insurance methodology will insure its 
underwriting program in terms of efficiency, consistency, and accu- 
racy, allowing it to better align the effectiveness of an organiza- 
tion’s security controls with cyber insurance premium levels. 

The review also concluded that organizations that had obtained 
a HITRUST CSF certification posed lower cyber-related risks than 
organizations that had not. The comprehensiveness and improved 
risk reporting enabled by the HITRUST CSF and the CSF assess- 
ment summary scores in place of many of the standard information 
security application questions creates a more streamlined and con- 
sistent application process. Allied World will also provide 
HITRUST with loss data in order to ensure the HITRUST CSF 
control guidance accurately reflects the associated risks. 

In addition, we are in discussions with 5 other cyber under- 
writers regarding leveraging this approach with an expectation 
that 2 more will be participating by mid-year. It is clear that this 
approach is a win-win for the health care industry, underwriters, 
and, of course, the members and patients whose information they 
are responsible for safeguarding. 

For health care organizations, it drives better behavior in the in- 
dustry, supports better control selections, and helps prioritize re- 
mediation activity, which ultimately provides better protection for 
patients. For cyber insurance underwriters, it ensures premium 
costs are proportionate to risk, provides more targeted coverage rel- 
evant to actual risks, and ultimately provides a more sustainable 
underwriting model. 

HITRUST also believes this current cyber insurance platform 
could provide the risk management focus to encourage health care 
organizations to invest in maturing their information protection 
programs, once they understand the impact residual risk has on 
cyber insurance premiums. 

With that, Mr. Chairman, I am pleased to answer any questions. 

[The prepared statement of Mr. Nutkis follows:] 
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Prepared Statement of Daniel Nutkis 
March 22, 2016 

Chairman Ratcliffe, Ranking Member Richmond, and distinguished Members of 
the subcommittee, I am pleased to appear today to discuss the role of cyber insur- 
ance in risk management, and initiatives underway by HITRUST and the health 
care industry to ensure its role is enhanced. I am Daniel Nutkis, CEO and founder 
of the Health Information Trust Alliance, or HITRUST. I founded HITRUST in 
2007, after recognizing the need to formally and collaboratively address information 
privacy and security for health care stakeholders representing all segments of the 
industry, including insurers, providers, pharmacies, PBMs, and manufacturers. 
HITRUST endeavored — and continues to endeavor — to elevate the level of informa- 
tion protection in the health care industry, ensuring greater collaboration between 
industry and Government, and raising the competency level of information security 
professionals. 

In my testimony today, I would like to highlight how HITRUST helps elevate the 
industry’s cyber awareness, improve cyber preparedness and strengthen the risk 
management posture of the health care industry. In particular, I want to point out 
how cyber insurance is integral to this process. 

There should be no question as to the significance that managing cyber risk and 
an organization’s ability to respond efficiently and effectively to cybersecurity inci- 
dents plays in cyber resilience. To aid industry in cyber risk management, threat 
preparedness, and response, HITRUST has implemented numerous programs in co- 
ordination with industry stakeholders as part of its overall risk management frame- 
work (RMF). 

The HITRUST RMF provides a risk-based control framework, specifically the 
HITRUST CSF, which is a scalable, prescriptive, and certifiable risk-based informa- 
tion privacy and security control framework. It provides an integrated, harmonized 
set of requirements tailored specifically for health care. 

Health care organizations are subject to multiple regulations, standards, and 
other policy requirements, and commonly-accepted best practice standards, includ- 
ing implementing the NIST Cybersecurity Framework. However, these “authori- 
tative sources” often overlap in the depth and breadth of their requirements, which, 
when integrated and harmonized, can often be mutually reinforcing when intel- 
ligently applied in the intended environment. 

To ensure the HITRUST CSF remains relevant, it is reviewed and updated at 
least annually. The review not only takes into account changes in underlying regula- 
tions and standards, but it also considers best practices and lessons learned from 
security incidents, incident response exercises, and industry post-data breach expe- 
riences. 

This level of comprehensiveness, relevance, and applicability is why over 80 per- 
cent of hospitals and health plans, as well as many other health care organizations 
and business associates, have adopted the HITRUST CSF, making it the most wide- 
ly adopted privacy and security framework in health care. 

Also distinctive to the HITRUST RMF, the HITRUST CSF Assurance Program de- 
livers a comprehensive, consistent, and simplified compliance assessment and re- 
porting program for regulatory requirements, such as HIPAA, HITECH, and other 
Federal and State requirements, and the sharing of assurances between and 
amongst covered entities and business associates. Specifically designed for the 
unique regulatory and business needs of the health care industry, the HITRUST 
CSF Assurance Program provides health care organizations and their business asso- 
ciates with a common approach to manage privacy and security assessments that 
enables efficiencies and contains costs associated with multiple and varied informa- 
tion protection requirements. The CSF Assurance Program incorporates specific 
guidelines to allow a broad array of leading industry professional services firms to 
perform services, while allowing HITRUST to oversee quality assurance processes 
to ensure assessments are rigorous, consistent, and repeatable. 

An additional benefit of using the HITRUST RMF is that it supports assessment 
and reporting for multiple and varied purposes, ^ such as the evaluation of AICPA’s 
Trust Services Principles and Criteria and SSAE-16 SOC 2 reporting “scorecards” 
against regulatory requirements and best practice frameworks, such as HIPAA, the 


1 Health care organizations have heen saving roughly 25—30% of audit costs when leveraging 
a HITRUST RMF Certification and a SSAE— 16 SOC2 audit. Similar underwriting and auditing 
savings are also envisioned as the cyber insurance industry matures. 
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NIST Cybersecurity Framework, and State-based covered entity privacy and secu- 
rity certifications like the SECURETexas program.^ 

Just last month, HITRUST announced the availability of a new guide to assist 
health care organizations in implementing the NIST Cybersecurity Framework. This 
new guide was developed in consultation with the Healthcare and Public Health 
(HPH) Sector Coordinating Council (SCO and Government Coordinating Council 
(GCC), along with input from other sector members and the DHS Critical Infra- 
structure Cyher Community (C3), to help HPH Sector organizations understand and 
use the HITRUST RMF to implement the NIST Cybersecurity Framework in the 
HPH Sector and meet its objectives for critical infrastructure protection. 

I would also note that the availability of the HITRUST CSF, HITRUST CSF As- 
surance program and this implementation guide also provides an excellent basis for 
the Department of Health and Human Services (HHS) to leverage “voluntary, con- 
sensus-based, and industry-led guidelines, best practices, methodologies, procedures, 
and processes that serve as a resource for cost-effectively reducing cybersecurity 
risks for a range of healthcare organizations.” 

HITRUST has spearheaded initiatives in other areas of cybersecurity as well. In 
2012, after identifying the need for coordination among stakeholders, HITRUST 
launched a cyber-threat intelligence-sharing and analysis program to provide threat 
intelligence, coordinated incident response and knowledge transfer specific to cyber 
threats pertinent to the health care industry. This program facilitates the early 
identification of cyber attacks and the creation of best practices specific to the 
health care environment and maintains a conduit through the Department of Home- 
land Security (DHS) to the broader cyber-intelligence community for analysis, sup- 
port, and the exchange of threat intelligence. HITRUST was also the first to track 
vulnerabilities related to medical devices and electronic health record (EHR) sys- 
tems, which are both emerging areas of concern. 

This program became the foundation for the HITRUST Cyber Threat XChange 
(CTX), which significantly accelerates the detection of and response to cyber threat 
indicators targeted at the health care industry. HITRUST CTX automates the proc- 
ess of collecting and analyzing cyber threats and distributing actionable indicators 
in electronically-consumable formats (e.g. STIX, TAXII, and proprietary SIEM for- 
mats) that organizations of almost all sizes and cybersecurity maturity can utilize 
to improve their cyber defenses. HITRUST CTX acts as an advanced early warning 
system as cyber attacks are perpetrated on the industry. The HITRUST CTX is now 
offered free of charge to the public and has gained wide acceptance within the 
health care industry. HITRUST is also a Federally-recognized Information Sharing 
and Analysis Organization (ISAO), has strong relationships with DHS and the Fed- 
eral Bureau of Investigation (FBI), and considers them integral partners in better 
addressing the threat landscape facing health care today and strengthening the con- 
tinuum of care. 

HITRUST also developed CyberRX, now in its third year, which is a series of in- 
dustry-wide exercises developed by HITRUST to simulate cyber attacks on health 
care organizations and evaluate the industry’s preparedness against attempts to dis- 
rupt U.S. health care industry operations. These exercises examine both broad and 
segment-specific scenarios targeting information systems, medical devices, and other 
essential technology resources of the HPH Sector.^ CyberRX findings are analyzed 
and used to identify general areas of improvement for industry, HITRUST, and Gov- 
ernment and to understand specific areas of improvement needed to enhance infor- 
mation sharing between health care organizations, HITRUST, and Government 
agencies. 

I only share this information to provide context on our engagement, experience, 
knowledge, and commitment in supporting the health care industry around cyber 
risk management. 

Now to the specifics of the topic at hand. We can all agree that managing the 
risks associated with cyber threats requires a comprehensive approach to risk man- 
agement, including the implementation of strong security controls such as the 
HITRUST CSF, continuous monitoring of control effectiveness, and routine testing 
of cyber incident response capabilities, such as in CSF Assurance and CyberRX. 
Commonly applied “network hygiene” only covers what is referred to as “basic block- 
ing and tackling.” Cyber information sharing, such as that facilitated by HITRUST 
CTX!, is designed to help organizations go beyond basic “hygiene” by alerting organi- 
zations to potential cyber threats, however, information sharing is very much de- 


2 SECURETexas is the first State program of its kind in the country offering privacy and secu- 
rity certification for compliance with State and Federal laws that govern the use of protected 
health information (PHI). 

3 See https:! j www.dhs.gov j healthcare-and-puhlic-health-sector. 
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pendent on the maturity of participating organizations and their ability to consume 
and respond to the potential threat indicators that have been identified. 

While there is not a perfect solution to cybersecurity; the best strategy is to pre- 
vent, detect, and respond before the adversary achieves their objective. 

A data breach in the health care industry not only has financial and reputational 
effects on the company targeted by the threat actors, but the effects could be dra- 
matic for members, patients, and their families due to the nature of the data dis- 
closed. Personal health information or identities could be stolen directly from hos- 
pitals, insurance companies, pharmacies, and from any business associate sup- 
porting these organizations. Beyond the privacy implications of data breach inci- 
dents, these breaches have the potential to disrupt operations of a health care facil- 
ity or affect patient care. The various complexities, interdependencies, and unique 
attributes all create various risk levels that need to be considered across the con- 
tinuum of care. 

And HITRUST firmly believes cyber insurance and cyber insurance underwriters 
can play a key role in supporting an organization’s overall risk management strat- 
egy and help provide for the “adequate protection” of patient information. 

Organizations have relied heavily on cyber insurance as one of the means to re- 
duce the overall financial impact of cyber-related incidents or breaches. But after 
numerous cyber-related breaches affecting health care organizations over the past 
few years, it is clear that health care data is one of the prime targets of malicious 
cyber threat actors who strive to monetize the data they seize. As a result of in- 
creased targeting by threat actors and recent incidents, underwriters have deter- 
mined the risks were greater than they had anticipated given the methods lever- 
aged to evaluate risk and, subsequently, health care organizations’ cyber insurance 
premiums have increased dramatically. 

In many cases, companies who underwrite cyber insurance struggle with an effec- 
tive way to evaluate cyber risk and the full extent of a company’s cybersecurity con- 
trols. 

Every cyber insurer customarily uses a specific application for insurance, and 
each application differs substantially. These tools are intended to be used to help 
insurers gain an understanding of key risk controls, but are not intended to be used 
as part of a comprehensive assessment. Additionally, many cyber insurance carriers 
rely on a wide array of supplemental questionnaires intended to provide them with 
additional insight to support coverage and pricing decisions. However, the industry 
lacks a consistent underwriting process, given that the questions and applications 
can vary significantly from one carrier to the next. 

Insurance underwriters have always been investigating ways to efficiently and ac- 
curately evaluate risk and help health care organizations ensure health information 
systems and services are adequately protected from cyber risks. 

Leveraging HITRUST’s role in aiding industry in risk management, HITRUST ap- 
proached Willis Towers Watson (Willis), a leading insurance broker, to explore ways 
to leverage the HITRUST RMF to allow insurers to better evaluate cyber risk and 
to also address 3 concurrent needs: 

(1) Ensure people, processes, and technology elements completely and com- 
prehensively address information and cybersecurity risks; 

(2) Identify risks from the use of information by the organization’s business 
units; and 

(3) Facilitate appropriate risk treatments, including risk avoidance, transfer, 
mitigation, and acceptance. 

HITRUST and Willis established the following approach to educate and substan- 
tiate the value of leveraging the HITRUST RMF as the basis for their cyber under- 
writing programs in the health care industry: 

(1) Compare the use of the HITRUST RMF, and the HITRUST CSF in par- 
ticular, to current application-based risk evaluation and pricing methodology; 

(2) Map the HITRUST CSF to insurer applications to demonstrate how it ad- 
dresses the current application process and the additional depth it provides; 

(3) Show how superior risk evaluation efficiency and consistency can be 
achieved using assessment scores and summaries without sacrificing detail; 

(4) Identify where the HITRUST CSF assessment scores and summaries can re- 
place current application elements and other risk management-gathering meth- 
ods; 

(5) Use test cases to substantiate accuracy and efficiency of the HITRUST CSF 
as a key underwriting resource in risk evaluation that allows an underwriter 
to compare an application-based risk evaluation to HITRUST CSF assessment- 
based risk evaluation; 

(6) Correlate claims with HITRUST CSF scores for test cases in support of a 
pricing framework aligned with the scores; 
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(7) Provide feedback to HITRUST on successful attack scenarios to bring under- 
writer experience and any key concerns into the HITRUST CSF development 
process to improve risk management; and 

(8) Explore a pricing framework based on HITRUST CSF certification and var- 
ious levels of control maturity in the certification process. 

By leveraging a standardized approach to control selection and risk assessment 
and reporting, underwriters and other stakeholders can obtain risk estimates that 
are accurate, consistent, repeatable, and evolving, that is, risk estimates that take 
evolving risks and threats into consideration. 

The goal is to integrate risk management into the underwriting process without 
adding confusion or unneeded complexity. HITRUST and Willis studied the relation- 
ship between HITRUST CSF and CSF Assurance control assessment scores, risk, 
coverage, and premiums to provide a simple, but effective data point to complement 
existing underwriting models. 

After many months analyzing the benefits of an underwriting program leveraging 
a robust risk management framework, both HITRUST and Willis saw immediate 
value in the approach and began educating underwriters on a cybersecurity assess- 
ment methodology that would provide the industry with consistent, repeatable, reli- 
able, and precise estimates of cyber-related risk. The HITRUST CSF and CSF As- 
surance program would provide underwriters with the information they could use 
to better understand an organization’s residual cyber risk, and apply to their under- 
writing process. 

The benefits of the HITRUST RMF-based underwriting model for cyber insurance 
in the health care industry allows organizations to maximize the benefits of dem- 
onstrating an enhanced information security posture. Ultimately, the better controls 
you have in place, the less likely you are to experience a breach. If a breach does 
occur, the potential impact will likely be contained and mitigated. This will trans- 
late into lower premiums and broader coverage for organizations who meet certain 
criteria defined by the HITRUST CSF. This is in many respects analogous to a 
“good driver discount program”. 

In addition to streamlining the underwriting process by leveraging their existing 
risk assessment, it also encourages organizations to consider the financial implica- 
tions of cyber-related risks. Specifically, analyzing the impact on premium from in- 
vestments reducing their cyber risks. \\Tiich is the mindset and behavior we would 
like to see organizations engage. 

Over the past 5 months, HITRUST and Willis have worked to educate cyber in- 
surers regarding the use of the HITRUST CSF and CSF Assurance program in sup- 
porting the cyber risk underwriting process. Insurers have found the HITRUST CSF 
to offer many advantages over the existing approaches, including providing a com- 
prehensive and mature controls framework, aligning strong controls with risk, and 
accurately and consistently measuring residual cyber risk. 

Allied World was the first company to offer preferred terms and conditions based 
on meeting the HITRUST CSF certification standards. After review and analysis. 
Allied World U.S. has determined that the HITRUST CSF framework and CSF As- 
surance methodology, will enhance its underwriting program in terms of efficiency, 
consistency, and accuracy, allowing it to better align the effectiveness of an organi- 
zation’s security controls with cyber insurance premium levels. 

The review also concluded that organizations that had obtained a HITRUST CSF 
Certification generally posed lower cyber-related risks than those organizations that 
have not. The comprehensiveness and improved risk reporting enabled by the 
HITRUST CSF and the CSF Assessment summary scores in place of many of the 
standard information security application questions create a more streamlined and 
consistent application process. Allied World will also provide HITRUST with loss 
data in order to ensure the HITRUST CSF control guidance accurately reflects the 
associated risks. 

In addition, Willis and HITRUST are in discussions with 5 other cyber under- 
writers regarding leveraging this approach, with an expectation that 2 more will be 
participating by mid-year. It is clear that this approach is a win-win for the health 
care industry, underwriters, and of course, the members and patients whose infor- 
mation they are responsible for safeguarding. 

For health care organizations, it drives better behavior in the industry, supports 
better control selection, and helps prioritize remediation activity, which ultimately 
provides better protection for patients. For cyber insurance underwriters, it ensures 
premium costs are proportional to risk, provides more targeted coverage relevant to 
actual risks, and ultimately provides a more sustainable underwriting model. 

As you can see, the cybersecurity and risk management challenges facing the 
health care industry are complex and in some cases daunting, in many cases unique 
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to industry dynamics, and they evolve at a pace that is unrealistic to manage by 
regulations and strict Governmental policy or high-level policy document. 

HITRUST, in partnership with industry, has been constantly working to establish 
programs to aid industry in mitigating cyber risks and is committed to be the link 
between the public and private sector that will continue to provide value and 
strengthen our industry, our Government, our economy, and our Nation as a whole 
against the growing cyber threats we face. 

HITRUST saw an opportunity to bring relevant industry stakeholders together to 
help health care organizations better manage cyber risk and help the insurance in- 
dustry better align cyber insurance premiums with this risk by leveraging a formal 
framework, like the HITRUST RMF. Risk management methodologies help compa- 
nies address applicable regulations, standards, and best practices, and health care 
and insurance industry threat data helps identify high-risk controls requiring execu- 
tive attention and link incidents to controls guidance. In many ways, this breach 
data helps inform insurance loss experience and allows cyber underwriters to play 
a key role in understanding where losses are occurring. 

HITRUST also believes this current cyber insurance platform could provide the 
risk management focus to further drive innovation and encourage health care orga- 
nizations to invest in maturing their information protection programs. HITRUST is 
working with underwriters to improve actuarial data and provide better estimates 
of risks while using threat and incident data to improve control selection within the 
HITRUST RMF. While we believe we have a novel approach and are leveraging new 
partners to grow its acceptance, mandates have the potential to stifle the innova- 
tions taking place in the marketplace. This market-based approach will provide a 
better insurance product for policy holders while allowing organizations to grow and 
mature their information security programs. 

HITRUST, through its many tools and programs, remains committed to ensure 
that the health care industry can properly address these challenges. Cyber insur- 
ance will be a key component in HITRUST’s approach to cybersecurity and cyber 
risk management, and we are excited about pioneering this approach to strengthen 
risk management. 

Thank you again for the opportunity to join you today and share these insights. 
I look forward to your questions. 

Mr. Ratcliffe. Thank you, Mr. Nutkis. The Chair now recog- 
nizes Mr. Finan for his opening statement. 

STATEMENT OF THOMAS MICHAEL FINAN, CHIEF STRATEGY 
OFFICER, ARK NETWORK SECURITY SOLUTIONS 

Mr. Finan. Chairman Ratcliffe, Ranking Member Richmond, and 
Members of the subcommittee, thank you very much for inviting 
me to address the role of cybersecurity insurance in risk manage- 
ment. I am greatly honored to share my perspectives with you 
about this very important topic. 

I am the chief strategy officer with Ark Network Security Solu- 
tions in Dulles, Virginia, but until recently I served as a senior cy- 
bersecurity strategist and counsel with DHS’s National Protection 
and Programs Directorate, where I led the Department’s Cyber In- 
cident Data and Analysis Working Group for the last 4 years. 

DHS engaged the cybersecurity insurance market early on be- 
cause of its tremendous potential to incentivize better cyber risk 
management, and our starting point really was the fire insurance 
market. Through years of collective claims information, insurers 
have been very successful in identifying the fire safety controls that 
need to be in place to protect lives and property. Those controls 
have become the gold standard. You can’t get a permit to build a 
commercial building, and you can’t get fire insurance for that build- 
ing unless you have those controls in place. 

We wanted to know if the cybersecurity insurance market could 
do the same thing. Specifically, could it help identify the cyber risk 
control equivalents of sprinkler and other fire suppression systems? 
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We discovered that while the insurance industry will certainly get 
there, there is still more work to do. 

DHS initiated a series of public workshops from October 2012 
through the spring of 2014, to determine what obstacles are imped- 
ing the market’s progress. Brokers and underwriters identified 4, 
including a lack of actuarial data: The absence of common cyberse- 
curity standards, best practices and metrics; a lack of knowledge 
about critical infrastructure dependencies and interdependencies; 
and an on-going failure by many companies to include cyber risk 
within their existing enterprise risk management programs. 

In response, brokers and underwriters look to see if a company 
has an effective cyber risk culture to determine if it is a safe insur- 
ance bet. They identified 4 pillars of such a culture, including what 
roles executive leadership, education and awareness, technology, 
and relevant information sharing play in securing the business en- 
vironment. Given these findings, we asked our insurance partici- 
pants what we could do to help advance the cyber insurance mar- 
ket. They told us that we should turn our attention to the concept 
of a cyber incident data repository, one where companies could 
anonymously share their cyber incident data so it could be aggre- 
gated and analyzed for maximum risk management benefit. 

In December 2014, DHS accordingly established the CIDAWG to 
bring together brokers, underwriters, CISOs, and other cybersecu- 
rity professionals to discuss the repository idea. Throughout 2015, 
the group discussed 3 major topics: The value proposition for a 
cyber incident data repository, the kinds of data a repository would 
need to be successful, and how to overcome likely obstacles to re- 
pository sharing. A fourth topic, how a repository should actually 
be structured, will be the subject of a DHS workshop next month. 

We published 3 white papers last year that detailed the 
CIDAWG’s findings. The first, on the value proposition, identified 
5 kinds of analysis that would benefit brokers, underwriters, 
CISOs, and others. Specifically, analysis that identifies top cyber 
risks and the controls that are most effective in addressing them; 
analysis that informs peer-to-peer benchmarking, promotes sector 
differentiation, supports cyber risk forecasting, trending and mod- 
eling, and advances cyber risk management culture. The group 
then spent several months identifying 16 data categories that the 
CIDAWG believed would help deliver on that value, and we re- 
leased them publicly in September of last year. 

In December, the CIDAWG published its third white paper on 
likely obstacles to repository sharing and ways to overcome them. 
They included assuring anonymization of the repository, ensuring 
the security of the data it holds, cultural and regional challenges 
that could result in skewed data contributions, perceived commer- 
cial disadvantage to repository participation, internal process hur- 
dles, the perceived value of a repository, assuring appropriate, ade- 
quate, and equitable participation, and technical design issues. 

The CIDAWG was very successful in breaking down barriers be- 
tween the insurance industry and technical cybersecurity profes- 
sionals. I strongly believe that the same model could be adopted to 
help address the cybersecurity needs of mid-size and small busi- 
nesses that today are struggling to keep up. Although they are 
often key players in the global supply chain, and a source for the 
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continued growth of the cybersecurity insurance market, they too 
often lack the budgets, expertise, staff, and time to adequately and 
consistently address their cyber risks. As a result, mid-size and 
small businesses tend to have weaker security that makes them 
not only easier to attack, but also a prime launching point for at- 
tacks against others. 

Cybersecurity expert exchanges, best practice knowledge sharing, 
compliance, automation, and coordination of cybersecurity invest- 
ments are just a few topics of conversation that a CIDAWG-like 
group could initiate to address this key area of vulnerability that 
affects us all. 

Thank you, and I look forward to your questions. 

[The prepared statement of Mr. Finan follows:] 

Prepared Statement of Thomas Michael Finan 
March 22, 2016 

Chairman Ratcliffe, Ranking Member Richmond, and Members of the sub- 
committee, thank you for inviting me to address the role of cybersecurity insurance 
in risk management. I am the chief strategy officer at Ark Network Security Solu- 
tions, a private company that provides software and services to accelerate standards 
compliance for enhanced security. Until this past December, I served as a senior cy- 
bersecurity strategist and counsel with the U.S. Department of Homeland Security’s 
(DHS) National Protection and Programs Directorate (NPPD), where I launched and 
led DHS’s Cybersecurity Insurance Initiative. I will describe the role that DHS has 
played in identifying and overcoming obstacles to a more robust cybersecurity insur- 
ance market. I will also discuss how the private-public engagement model that DHS 
has followed as a convener of the insurance conversation could be extended to ad- 
dress the cyber risk management needs of mid-size and small businesses nationally. 

DHS’S cybersecurity INSURANCE INITIATIVE 

As a largely operations-focused organization, NPPD may not immediately come to 
mind as a likely candidate to lead a sustained discussion with stakeholders about 
cybersecurity insurance. NPPD has a more general mandate beyond its day-to-day 
cybersecurity mission, however, and its mission statement says it all: 

“NPPD’s vision is a safe, secure, and resilient infrastructure where the American 
way of life can thrive. NPPD leads the national effort to protect and enhance the 
resilience of the nation’s physical and cyber infrastructure.” 

That means DHS must do more than just help its partners extinguish rapidly- 
developing cyber risk “fires.” It also requires DHS to think more strategically and 
to figure out what cyber risk fires — and what potential solutions to them — may be 
ahead and then determine how to address both as part of its overall resilience mis- 
sion. Ultimately, DHS is in the risk management business. It is increasingly called 
to think about risk management not just 3 to 5 minutes, hours, or days ahead but — 
like its external partners — 3 to 5 years ahead. 

Insurance, we learned, is a key part of that process. When we began DHS’s in- 
quiry into the cybersecurity insurance market, we asked whether cybersecurity in- 
surance could — as a market force — raise the cybersecurity “floor” by getting more 
critical infrastructure owners to manage their cyber risk better in return for more 
relevant and hopefully more affordable policies. At the time, our point of reference 
was the fire insurance market. We knew that insurers had been very successful in 
identifying specific fire safety controls that today are not only conditions for cov- 
erage within fire insurance policies but also prerequisites for obtaining a building 
permit. Our hope was that brokers and underwriters together could help identify 
the cybersecurity equivalents of sprinkler and other fire suppression systems. What 
we discovered is that while they may get there one day, they are not there yet. 

Challenges 

From 2012 through 2014, DHS engaged a wide range of partners through a series 
of public workshops on the cybersecurity insurance topic. Our participants included 
brokers and underwriters, chief risk officers, chief information security officers, crit- 
ical infrastructure owners and operators, and members of the academic community. 
During the course of our conversations, we asked them whether now or in the future 
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insurance could help incentivize better cyber risk management. DHS was especially 
interested in finding out if the market already provided coverage — or could eventu- 
ally provide coverage — for physical damages and bodily injuries that might result 
from a successful cyber attack against critical infrastructure. What we heard back 
is that several major obstacles continue to prevent insurers from providing more cy- 
bersecurity insurance coverage — specifically, higher limits — than they currently do. 
Chief among them are: 

• First, the market suffers from an on-going lack of actuarial data. Unlike fire 
insurance, insurers do not have 100 years’ worth of cyber loss data that they 
can use to build out new policies. This has inhibited them from providing more 
than the $10 to $15 million in primary coverage that they historically have of- 
fered customers for data breach and network security-related losses. Despite 
some recent progress, moreover, very few insurers provide discrete coverage for 
cyber-related critical infrastructure loss. When we asked why, the insurers ex- 
plained that for obvious reasons, they do not receive claims against policies that 
do not yet exist. Without such claims, however, they have no way to build out 
the actuarial tables they need to expand their offerings. In short, they are left 
with little insight into the growing number of SCADA and other industrial con- 
trol system attacks that are occurring world-wide. They insurers further ad- 
vised that they similarly lack a consistent source of raw cyber incident data 
that they could alternatively use to get their underwriting bearings in this area. 

• Second, brokers and underwriters cited the absence of common cybersecurity 
standards, best practices, and metrics as a further hurdle to a more robust mar- 
ket. They nevertheless cited the advent of the NIST Cybersecurity Framework 
in 2014 as a very positive development. Many advised that the Framework’s 
common vocabulary for cyber risk management topics was helping them have 
more in-depth conversations with their current and potential clients about their 
cyber risk profiles than otherwise would be the case. They also told us that they 
would like to see tailored versions of the Framework emerge for each of the Na- 
tion’s 16 critical infrastructure sectors that provide more particularized risk 
management information to their clients in those sectors. The ultimate utility 
of the Framework, they added, remains to be seen. Several underwriters ex- 
plained that they continue to seek answers to two key questions: (1) Are compa- 
nies that use the Framework having a better cyber loss experience than their 
peers that don’t; and (2) what Framework-inspired controls should be incor- 
porated into cybersecurity insurance contracts as conditions for coverage — like 
sprinkler systems for fire insurance? 

• Third, the workshop participants noted an on-going lack of understanding about 
critical infrastructure dependencies and interdependencies as another major ob- 
stacle. Like most of the population, brokers and underwriters do not know much 
about how a cyber-related critical infrastructure failure in one sector might cas- 
cade across multiple other sectors. Until they have a better idea about how big 
and bad related losses might be — and where a strategically-placed risk control 
might make a difference — they are reluctant to develop new insurance products 
to cover this loss category. Without more insight, one underwriter explained, 
one big loss affecting hundreds of clients could effectively put them out of busi- 
ness. 

• Fourth, a final challenge to the cybersecurity insurance market is the on-going 
failure by many companies to include cyber risk as part of their traditional en- 
terprise risk management — or ERM — programs. Despite the growing threat, 
many companies continue to treat cyber risk as an IT problem, separate and 
apart from the other business risks they face. Without including cyber risk 
within existing ERM programs, however, they really are not “doing ERM.” Con- 
sequently, they often are blind to their true risk profiles and may not be 
prioritizing their risk management resources most effectively. 

Cyber Risk Culture 

Given these obstacles, brokers and underwriters told us that they generally con- 
sider 2 major risk management factors when assessing a company’s qualifications 
for coverage: Its compliance with available cybersecurity standards and its risk cul- 
ture. In so doing, they pay particular attention to the internal cybersecurity prac- 
tices and procedures that a company has adopted, implemented, and enforced. Sev- 
eral underwriters advised that they focus primarily on risk culture when assessing 
a potential insured for coverage — leading them to draft custom policies for clients 
rather than more generic “template” policies that can be marketed more broadly. 
Regardless of their particular practices, practically all of the participants suggested 
that DHS should turn its attention next to how companies should go about building 
more effective cyber risk cultures. 
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This made a lot of sense. We started thinking: If a core group of brokers and un- 
derwriters is looking to how companies individually manage their cyher risk, then 
maybe we could discover some lessons learned that might be more broadly applica- 
ble to others. We therefore identified 4 “pillars” of an effective cyber risk culture 
that appeared to merit a deeper dive. Those pillars included the roles of: 

• Executive Leadership. — What should boards of directors be demanding — and 
doing themselves — to build corporate cultures that manage cyber risk well? 

• Education and Awareness. — What messages, training, and accountability mech- 
anisms need to be in place internally in companies, among partnering compa- 
nies, and at a National level to help create a culture of cybersecurity? 

• Technology. — How should technology be leveraged to encourage better cyberse- 
curity practice? 

• Relevant Information Sharing. — Who within a company needs what informa- 
tion, and in what formats, to help drive more effective cyber risk management 
investments? 

Several core conclusions emerged from our discussions: 

• First, for many companies, the business case for more effective cyber risk man- 
agement investment still has not been made. The key reason for this appears 
to be that cyber risk by and large has not been reduced to terms that non-tech- 
nical business leaders can readily understand — namely, the financial costs of 
cyber events and the potential damages to reputation for failing to mitigate 
them adequately. Many of our participants suggested that to overcome this, 
companies should adopt ERM programs that incorporate cyber risk into the vast 
pool of other business risks they face. 

• Second, many of our participants called for more research when it comes to the 
costs and benefits of existing and future cybersecurity solutions. Once corporate 
leaders engage, they explained, they will want to know what investments to 
make to best manage their cyber risk. In other words, which controls offer the 
most cybersecurity bang for the buck? 

• Third, the participants explained that it probably is unrealistic to expect the in- 
surance industry to come up with a one-size-fits-all suite of cyber risk controls 
that everyone should adopt in return for more coverage and (eventually) lower 
premiums. What the underwriters told us is that they typically do not spend 
weeks with potential insureds reviewing and red-teaming every aspect of their 
organizations to see what is happening with their information security. More- 
over, they no longer subject corporate IT professionals to hundreds of detailed 
questions getting at the technical and human-based control aspects of this infor- 
mation. Instead, they usually survey the companies — asking just 20-25 ques- 
tions directed at basic, high-level information security issues to eliminate only 
the most ill-prepared companies from coverage consideration. 

This third point, however, does not mean that the insurance industry does not 
have an important cyber risk management role to play. On the contrary, what a 
growing number of strategically-focused brokers and underwriters look for during 
the underwriting process, separate and apart from the insurance application, is how 
well companies understand where they uniquely sit in the cyber risk landscape and 
what they are doing about their particular circumstances. Put simply, this means: 

• Do they know what cyber incidents are actually happening to them based on 
their own data and reports from outside sources? 

• Do they know — through public sources and private conversation — what kinds of 
cyber incidents are happening to other companies like them; and 

• What cyber risk management investments are they making based on this infor- 
mation? 

In other words, these brokers and underwriters are assessing whether a company 
exhibits an engaged cyber risk culture — one where corporate leaders support risk 
mitigation efforts aimed at the cyber risks most relevant to their companies. Such 
engagement serves as a critical point of differentiation between companies that rep- 
resent a safer versus unsafe cyber risk. 

ACTION OPTIONS 

During DHS’s fourth and final public workshop in April 2014, we asked our insur- 
ance participants how we could best help them work through some of the cybersecu- 
rity insurance market’s persistent challenges. They identified 3 topic areas for fur- 
ther discussion: 

• Cyber incident information sharing (as opposed to cyber threat sharing), with 
a specific focus on the value of creating an anon 3 miized cyber incident data re- 
pository; 

• Cyber incident consequence anal 3 d;ics; and 
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• Promotion of comprehensive ERM strategies that incorporate cyber risk. 

When we asked how to prioritize this list, the insurance participants agreed that 

DHS should focus first on the concept of a cyber incident data repository — specifi- 
cally, one that helps meet the cyber risk analysis needs of the insurance industry, 
chief information security officers (CISOs), chief security officers (CSOs), and other 
cybersecurity professionals. 

From the start, the brokers and underwriters described a repository notionally as 
a place where companies could anonymously share their cyber incident data. That 
data, they explained, could then be aggregated and analyzed to increase awareness 
about current cyber risk conditions and longer-term cyber risk trends. They ex- 
plained that this information could benefit not only the insurance industry with its 
risk transfer efforts but also CISOs, CSOs, and other cybersecurity professionals 
with their complementary cyber risk mitigation efforts. The brokers and under- 
writers emphasized that these professionals should be central to any future reposi- 
tory discussion. They felt strongly that if the men and women on the front lines of 
cybersecurity are not “bought in” on the idea, then all the talking in the world 
would be for naught. We agreed and endeavored to engage not only insurance ex- 
perts but also these day-to-day practitioners who had hands-on knowledge about 
cyber incidents and the kinds of analysis that would help them better prepare, re- 
spond, and recover from them. The results from our initial follow-up conversations 
testing the waters were promising: 

• From the insurance side, we heard that a repository could help the industry 
build up the information stores it needs to better understand the impacts of 
cyber events, their frequency, and the optimal controls for mitigating particular 
kinds of cyber incidents. Various brokers and underwriters told us that this 
knowledge could help them scope and price policies that contribute more effec- 
tively and more affordably to a company’s overall corporate risk management 
strategy. Many of them believed, moreover, that a repository one day could help 
them provide more cybersecurity insurance at lower rates to clients that invest 
in so-called “best-in-class” controls. Repository-supported analysis, they ex- 
plained, would be essential for identif 3 dng those controls. 

• For their part, the CISOs and CSOs told us that repository-supported analysis 
could help them conduct much-needed peer-to-peer benchmarking and other ac- 
tivities that could bolster their in-house cybersecurity programs. 

• Cybersecurity solutions providers reported that they also have a critical stake 
in any future repository. They explained that repository-supported analysis 
would likely influence how the market for new solutions develops. Specifically, 
they told us that greater knowledge about longer-term cyber incident trends will 
inform the kinds of products and services that they create to meet the risk miti- 
gation needs of clients across every industry sector. 

THE CIDAWG 

In late 2014, DHS approached the Critical Manufacturing Sector Coordinating 
Council (CMSCC) to sponsor and identify willing CISOs to participate in the newly- 
initiated Cyber Incident Data and Analysis Working Group (CIDAWG). The CMSCC 
was immediately supportive of the repository concept and named several CISOs to 
the group. DHS also was very fortunate to be joined by a number of brokers and 
underwriters from the previous public workshops who had been strong proponents 
of the idea. At the outset, the CIDAWG included about 10 brokers and underwriters 
that were among the top thought leaders in the cyber insurance industry. DHS 
paired them with approximately 25 CISOs, CSOs, and other cybersecurity profes- 
sionals to enter into a sustained dialogue about 4 main agenda items: 

• The value proposition for a cyber incident data repository; 

• The data categories necessary to support repository-supported analysis that 
helps companies manage their cyber risk better; 

• How to encourage the voluntary sharing of cyher incident data repository into 
a repository; and 

• How a repository should be structured in any proof of concept stage. 

To be clear, DHS is not building a repository. Instead, it is creating a safe space 
for people to discuss how a repository notionally should come together as a place 
where companies feel comfortable sharing their cyber incident information anony- 
mously. To do so, DHS established several ground rules that have been critical to 
the success of the project to date: 


1 The CIDAWG’s conclusions about the first 3 of these topics are included in a series of white 
papers available on DHS’s Cybersecurity Insurance webpage, accessible at https:! I 
www.dhs.gov I cybersecurity-insurance. 
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• During DHS’s previous public workshops, we learned that hosting our discus- 
sions on a confidential basis helped promote rigorous debate. We therefore fol- 
lowed suit with the CIDAWG and held all of our meetings under the auspices 
of the Critical Infrastructure Partnership Advisory Council (CIPAC), a mecha- 
nism that allowed us to keep them closed to the public. We likewise strictly en- 
forced the Chatham House Rule to ensure a constant flow of conversation 
among CIDAWG participants. 

• At all times, DHS also tried to be sensitive to the demands that the CIDAWG’s 
work placed on its members. They were located all over the country across 
every time zone, and we recognized that their time was extremely valuable. To 
that end, we scheduled CIDAWG teleconferences for up to twice a month, for 
up to 2 hours at a time. While we scheduled 2 in-person meetings for the group 
in the Washington, DC, area during the year, we did so only with the partici- 
pants’ consent. We also provided them with several months of lead time so they 
could provide notice to their employers and budget and plan for the meetings 
accordingly. 

The Value Proposition 

The CIDAWG’s first topic was the value proposition for a repository. How could 
it help advance the cause of cyber risk management and what kinds of analysis 
would be most useful to the cybersecurity industry, to CISOs and CSOs, and why? 
The brokers and underwriters responded that a repository could help facilitate the 
development of cybersecurity best practices that insurers should require within their 
policies as conditions for coverage. The CISOs and CSOs added that a repository 
could provide the data needed for more insightful peer-to-peer benchmarking that 
could help justify — or modify — existing cybersecurity investments. As they ex- 
plained, knowing how a company’s peers are faring on the cyber risk management 
front and how it compares to them goes a long way toward making the business 
case for needed funding. Both groups noted that repository-supported analysis like- 
wise could help the cyber risk management community identify longer-term cyber 
risk trends, allowing for new kinds of cyber risk forecasting that could help further 
inform cybersecurity budgets. 

In June of 2015, the CIDAWG completed its first white paper that captured the 
group’s core findings. The paper detailed 6 major value proposition categories for the 
kind of repository that they were envisioning. Specifically, they believed that it 
could help by supporting analysis that: 

• Identifies top cyber risks and the most effective controls to address them; 

• Informs peer-to-peer benchmarking; 

• Promotes sector differentiation; 

• Supports cyber risk forecasting, trending, and modeling; and 

• Advances cyber risk management culture. 

The Data Categories 

In September 2015, the CIDAWG released its second white paper about the cyber 
incident data categories that contributors should share into a repository to deliver 
on that value. Early on, the brokers and underwriters explained that they wanted 
to know more about the types of cyber incidents that are happening; their severity, 
impacts, and time lines; the apparent goals of attackers; effective response tech- 
niques; involved parties; and risk controls that are making a difference. During the 
course of our conversations, we asked the CIDAWG participants to flesh all this out 
by telling us what value each data category potentially brings to a better under- 
standing of cyber incidents; what each one actually means and to whom; which data 
categories were the greatest priority, to which stakeholders, and why; and which of 
them are actually accessible. 

What was particularly gratifying to see was how the CIDAWG members came to 
view each data category in relation to at least 1 of the 6 value proposition categories 
that they had previously identified. During their deliberations, they asked them- 
selves, “How does this particular data category deliver on the value that we’re all 
seeking together?” After 3 months of work, this resulted in a very compelling final 
list. While the brokers and underwriters were the first to offer up their ideas — they 
came up with 16 of their own data categories — the discussion did not stop there. 
The CISO and CSO participants identified their own set of 9 data categories that 
they believed were essential from a cybersecurity operations perspective. After 
sometimes intense debate and discussion, the CIDAWG completed a final list — coin- 
cidentally, of 16 consolidated data categories — that are a priority for both the insur- 
ance industry and cybersecurity professional community alike. They include: 

• Type of incident; 

• Severity of Incident; 
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• Use of a Cyber Risk Management Framework; 

• Incident Time Line; 

• Apparent Goal(s) of Attackers; 

• Contributing Causes; 

• Specific Control Failures; 

• Assets Compromised or Affected; 

• Types of Impacts; 

• Incident Detection Techniques; 

• Incident Response Playbook; 

• Internal Skills Sufficiency; 

• Mitigation and Prevention Measures; 

• Costs; 

• Vendor Incident Report; and 

• Related (Contextual) Events. 

Overcoming Obstacles 

As a next step, the CIDAWG addressed how private companies and other organi- 
zations could be encouraged to voluntarily share all this information into a reposi- 
tory. To prepare for this conversation, the CIDAWG hosted several experts who de- 
scribed already existing and on-going information-sharing efforts. Our hope was that 
the CIDAWG would use these models to propose similar approaches for an 
anonymized cyber incident data repository: 

• Representatives from the Department of Defense (DoD) provided a very helpful 
overview of some of the information-sharing work that is being done by Defense 
Industrial Base or “DIB” companies. Specifically, DoD shared its insight into 
how DIB companies have created a trusted information-sharing environment by 
adopting a unique way of anonymizing data and using Non-Disclosure Agree- 
ments. 

• The MITRE Corporation likewise detailed the progress of the Aviation Safety 
Information Analysis and Sharing System — the so-called “near-miss” database — 
that MITRE established and runs in partnership with the aviation sector. Spe- 
cifically, the representative outlined the best practices MITRE had developed to 
promote the anonymized sharing of near-miss information by pilots, flight at- 
tendants, ground crews, and others to enhance flight safety. 

• The Alliance for Telecommunications Industry Solutions (ATIS) also shared its 
experiences in creating a trusted environment for the confidential sharing of 
highly-sensitive network outage information. 

In December 2015, the CIDAWG released its third white paper that identified 8 
perceived obstacles to repository sharing and potential ways to overcome them, 
many of which had been inspired by these outside group briefings. The obstacles in- 
cluded: 

• Assuring Anonymization (prevent data from being traced back to a particular 
contributor); 

• Ensuring Data Security (protect the repository itself from breaches); 

• Cultural Challenges and Regional Differences (avoid potentially skewed data); 

• Perceived Commercial Disadvantage to Participating in a Repository (address 
concern that participation could negatively impact business operations); 

• Internal Process Hurdles to Participation (find ways to work through key re- 
viewers); 

• Perceived Value of Participation (evangelize the bottom-line benefits of partici- 
pation); 

• Assuring Appropriate, Adequate, and Equitable Participation (develop a series 
of benefits available only to repository contributors); and 

• Technical Design Issues (make the repository easy to use). 

Outcomes 

DHS and the CIDAWG are currently planning a public workshop in April 2016 
to obtain feedback on the CIDAWG’s white papers. Specifically, they are planning 
to dive into the 16 cyber incident data categories in order to validate them. They 
also plan to assemble a panel of experts who will offer recommendations about how 
a repository should function during any future proof of concept stage. 

While the CIDAWG will likely make a number of recommendations for next steps 
based on this input, one of them already is clear: The Federal Government should 
not actually own or operate the repository. While the CIDAWG members reported 
that they would welcome data from Federal agencies into a repository, they felt 
strongly that the private sector should find its own way during a future repository 
implementation stage. At the same time, however, they expressed great interest in 
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DHS continuing to convene the CIDAWG and any other working groups to take the 
work to the next level. 

CYBERSECURITY FOR MID-SIZE AND SMALL BUSINESSES 

As with the CIDAWG, DHS’s convening power could provide tremendous benefit 
when it comes to helping mid-size and small businesses struggling with their cyber- 
security efforts. By some estimates, the cybersecurity insurance market today is 
growing at 30% a year. Brokers and underwriters alike agree that mid-size and 
small businesses represent the next cohort of clients that they need to engage in 
order to sustain that growth. While the market already offers cybersecurity policies 
geared to these enterprises, they face the same challenge as their larger counter- 
parts: Managing their cyber risk well over time in order to qualify for meaningful 
coverage. Unlike those counterparts, however, mid-size and small businesses tend 
to have weaker security that makes them much easier to attack successfully. It like- 
wise makes them a prime launching point for attacks against others. As the “Tar- 
get” data breach in 2013 starkly demonstrated, a cybersecurity failure by 1 small 
business — in that case, a heating, ventilation, and air conditioning (HVAC) vendor — 
can impose hundreds of millions of dollars in lost income and related litigation and 
settlement costs. 

Mid-size and small businesses are falling behind for several reasons. As an initial 
matter, most lack the budgets, expertise, staff, and time to adequately and consist- 
ently address their cyber risks. Many have concluded — wrongly — that their relative 
anonymity protects them from breaches and cyber-related business interruption 
events. Given competing business concerns, moreover, still others have simply cho- 
sen not to prioritize cyber risk management very highly. Mid-size and small busi- 
nesses accordingly often fail to comply with common cybersecurity standards that 
promise real protection through the deployment of appropriate security infrastruc- 
ture. A growing number, for example, use the cloud as a cost-saving measure for 
their transactions, unfortunately without strong encryption technology in place. As 
a result, these businesses represent the weakest links in the global supply chain, 
making them less attractive business partners. 

Large companies have awoken to this problem and are increasingly inquiring of 
their current and potential supply chain partners about the effectiveness of their 
cyber risk management programs. In many cases, the less-than-stellar answers they 
receive present a quandary that raises difficult questions: 

• How should large companies define and measure “reasonable cybersecurity” for 
the mid-size and small companies with which they partner? 

• Would imposing their own, potentially more costly cybersecurity requirements 
effectively put those enterprises out of business? 

• Should large companies sever business ties with mid-size and small vendors 
and suppliers in favor of others that in reality may be no more “cyber secure”? 

• How and how often should they verify whether a mid-size or small business is 
actually complying with cybersecurity requirements over time and “course ad- 
justing” their cyber risk management investments in response as necessary? 

• When does the risk of transacting business with a less-than-secure enterprise 
outweigh a large company’s absolute need for a unique service or product that 
that enterprise provides? 

• Does a cyber insecure organization provide products or services at such a com- 
petitive rate that a larger company should continue to take a chance through 
continued partnership? 

Part of the answer to these questions is that cybersecurity in today’s hyper-con- 
nected world is not like the television game shows “Weakest Link” or “Survivor” 
where mid-size and small businesses should somehow be eliminated or voted off the 
island automatically because they suffer a breach or other damaging cyber event. 
The fact of the matter is that all businesses — large, mid-size, and small — are linked 
through the supply chain. They all are on the same island. Accordingly, they need 
to work with each other to survive and thrive in today’s fast-evolving cyber risk en- 
vironment. Cybersecurity collaboration among these enterprises has never been 
more essential. 

DHS should consider convening an on-going conversation focused on this topic. 
The CIDAWG provides an excellent model for how different cybersecurity stake- 
holders — brokers, underwriters, CISOs, CSOs, and other cybersecurity profes- 
sionals — can be drawn together to confidentially discuss shared cyber incident data 
and analysis requirements. A similarly-structured dialogue could focus large, mid- 
size, and small business attention on the specific approaches and support structures 
needed to advance the cybersecurity performance of all partners across the supply 
chain. 
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Brokers and underwriters would have particularly insightful perspectives to share 
on this topic given their growing interest in encouraging better cybersecurity among 
the mid-size and small businesses that will comprise a sizable portion of their future 
client base. A new working group could assess, for example, how more effective cy- 
bersecurity collaboration among all supply chain partners — through initiatives like 
cybersecurity expert exchanges, best-practice knowledge sharing, compliance auto- 
mation, and coordination of cybersecurity investments — might help establish mid- 
size and small businesses as more attractive insurance risks. As brokers and under- 
writers learn more about which cyber risk controls work for larger companies, they 
could become a powerful voice regarding which ones should be prioritized and adapt- 
ed to the needs of the vendor and supplier community. Over time, the group’s rec- 
ommendations could be developed, shared, and updated through a standing private- 
public partnership effort dedicated to this issue. 

Thank you. I am happy to answer any questions you may have. 

Mr. Ratcliffe. Thank you, Mr. Finan. I now recognize myself for 
5 minutes of questions. 

Mr. McCabe, I want to start with you. You know, in having this 
hearing and looking at the cyber insurance market more broadly, 
as I’ve talked about, I want to get to a point where we see a perme- 
ation of the market where cyber insurance becomes commonplace. 
I’m hopeful that, in the future, we get to the point that Mr. Finan 
was just making, where any small business who sells their prod- 
ucts on-line through a public-basing website would be able to buy 
appropriate and effective cyber insurance. 

From your perspective, where you are at Marsh, can you see that 
happening, and if so, what factors or changes have to take place 
for us to get there? 

Mr. McCabe. So as I said in my testimony, the takeup rate in- 
creases over the last 3 years have been very healthy double-digit 
takeup rates. So I think that what we have here is a very strong 
growing market. I absolutely believe that this is going to become 
a common coverage for each company to carry. 

I think probably one of the limitations right now is that security 
dollars are always finite. You have companies that are assessing, 
well, do I spend another dollar on a technical solution, or do I put 
that dollar towards insurance? Quite frankly, I think we often face 
a culture where companies would prefer technical solutions. But 
over time we discovered that there is no silver bullet and that 
there is always going to be some residual risk, despite how strong 
your practices are. 

So I think that is what is really driving insurance as a product 
today, and I think it is going to continue to grow. 

Mr. Ratcliffe. Thank you. 

Commissioner Hamm, in your testimony, you talked about the 
lack of actuarial data. What that led to, I believe you said, was 
that in cyber we see more customized policies, and because they’re 
more customized, they’re more costly. Can you speak to how addi- 
tional cyber incident data could be leveraged by insurance commis- 
sioners like you? I mean, does that lead to more diverse cyber prod- 
ucts? 

Mr. Hamm. So to begin, to me, where that actuarial data is pri- 
marily going to be used is by the industry itself to get more of a 
comfort level in coming up with products, developing those prod- 
ucts. Then as they do that, those products would then be submitted 
to State insurance departments to review the rates and forms. So 
if those are based on better actuarial data, there is more of a likeli- 
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hood that once they reach State departments of insurance, that 
those products will then be approved and then hit the market. So 
that would probably be my answer to your question there. 

I would say, though, I want to make sure and highlight, what 
you said in your opening statement was spot on. This market is in 
its infancy, and it is going to take decades before you get predict- 
ably to a fully mature and developed market. So what this market 
really needs is time, patience, and support, and support from folks 
like you, folks like me as a regulator, to help with that actuarial 
data piece so that the market can grow organically over time. 
Thank you. 

Mr. Ratcliffe. Thank you. I appreciate the comments. 

To that point, about aggregating data, I want to shift to you, Mr. 
Nutkis, and ask you, with respect to the ISAO model, when it 
comes to aggregating cyber incident data, what are the aspects of 
it from your perspective that can facilitate this process, if it can? 

Mr. Nutkis. Sure. So we see the ISAO model having a lot of po- 
tential to support both the aggregation of data, but then also the 
ability to link the cyber threats that are coming in through the 
ISAO through threat catalogues to the bolstering of the controls 
framework itself. So it is another feed, as the actual data is, into 
strengthening the controls, which therefore the organizations then 
have a better security posture and, hopefully, less residual risk. 

Mr. Ratcliffe. Okay. Thank you. Have your members found 
that applying for cyber insurance, has it caused them to bolster 
their cybersecurity standards? Is that an assumption we can state? 

Mr. Nutkis. So I think what our members have found is that 
cyber insurance has become very, very expensive, a lot more expen- 
sive than it was in the past, and that they are, as I think was men- 
tioned, they are looking at ways to figure out where they should 
invest the dollars they have. They have a pool of dollars. I think 
what we have demonstrated is, is that if, in fact, you make good 
decisions on your cyber controls, you can reduce your cyber pre- 
miums, and therefore you have better cyber resilience, and you still 
get cyber insurance. That’s the behavior I think we’re trying to 
drive to, which is getting people to focus on really minimizing re- 
sidual risk and finding ways to more cost effectively do that. 

Mr. Ratcliffe. Thank you. My time has expired. I’m hoping 
maybe we will do another round of questions. But I will now recog- 
nize the Ranking Member for his questions. 

Mr. Richmond. Thank you, Mr. Chairman. I will just pick up 
where you left off. Mr. Finan, I think in your testimony you talked 
about comparing it to a building fire and fire suppression devices. 
But I will tell you, as a person who went through Katrina and Rita, 
the two big hurricanes in Louisiana, after those hurricanes, we as 
a legislature went in and said, you know what, maybe we need to 
reexamine our building codes. We need to make sure that we re- 
quire people to build homes that can withstand winds of X, and da, 
da, da. 

So part of it, I guess, seeps into what we would consider risk cul- 
ture. So I guess that, you know, as we talk about you all identi- 
fying companies as they examine their enterprise-wide risk, the 
risk of a cyber attack is low on their priority analysis. How do we 
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or does the insurance change not only behavior but standards 
across the whole potential clientele for cyber insurance? 

Mr. Finan. Thank you, Congressman. I think it does. One of the 
discoveries that we made during the CIDAWG conversations, and 
even in the prior workshops that we held, is that a lot of this is 
a cultural problem. You have boards of directors and senior leaders 
that are very comfortable with traditional business risks. They can 
range from workplace violence to competition. Cyber risk unfortu- 
nately, even in some very large companies today, have been rel- 
egated to sort of the IT department. Frankly, those aren’t people 
that often talk with one another. 

The CISOs and other cybersecurity professionals that we were 
engaging were having a very hard time breaking through. How did 
they express what they knew in business terms, chiefly, the finan- 
cial impact of a cyber event, and the reputational damage to a com- 
pany that could result if a breach or a vulnerability leading to a 
breach wasn’t properly addressed beforehand? 

I think insurance, though, plays an incredibly valuable bridging 
role in that the boards of directors and chief risk officers and CFOs 
understand what insurance is about, and they see the business 
benefit to it. CISOs are increasingly seeing it as an avenue to ex- 
press what they know. One of the great things about the CIDAWG 
was that we were able to bring the insurance industry together 
with a lot of cybersecurity professionals who wouldn’t again nor- 
mally speak to one another, but they started to understand what 
each other’s concerns were, the underwriters and brokers certainly 
wanting to sell an insurance product but also not wanting to take 
on too much risk by overextending the policies that they were offer- 
ing. The technical expertise of a CISO, once you combine those, 
you’re really addressing both sides of the same coin. 

So I think one of the outputs of the CIDAWG effort is that you 
have the insurance industry and the cybersecurity professional 
community more in sync and speaking together, using the same vo- 
cabulary to express that business risk that is cyber risk. So I see 
insurance as a vehicle to really make cyber risk more of an enter- 
prise risk management problem, and it is something that I think 
should be strongly encouraged. 

Mr. Richmond. I guess another part of what I heard today was 
the cost and whether, you know, we can — I guess in my world, I 
would say actuarially sound. If the actuarially sound part is some- 
thing that we focus on, I guess my question would be, for compa- 
nies that have not invested in their cybersecurity, their information 
technology, and all those things to make their company stronger to 
fend off a cyber attack, is the insurance affordable? For companies 
who do that and invest in it, is the insurance affordable? 

So I guess my question is: Is this something that small busi- 
nesses would be able to afford, and is it something that our large 
businesses can afford? Probably Mr. McCabe or Mr. Hamm. 

Mr. McCabe. So cyber insurance is made available to every size 
of business. We segment our brokerage depending on the revenues 
of the clients, and we have a specific group that are specifically 
concentrating on small and mid-size business. You know, I would 
estimate that the takeup for small and mid-size businesses on 
cyber insurance is somewhere around 20 percent. That lags behind 
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larger organizations that have more than a billion dollars in rev- 
enue, but still, a very healthy takeup and still growing rapidly. 

As far as the moral hazard issue, I mean, if a company is not 
investing in their basic security, I would imagine that they are 
most likely not going to invest in the cyber insurance aspect of it 
either. I don’t think that in the cyber insurance industry, I don’t 
think that the moral hazard problem is really applicable. I mean, 
and that would be in comparison to, well, I have fire insurance so 
I am going to leave greasy rags around the house and I am going 
to leave highly flammable foods next to them because, you know, 
I have my house secured with insurance now. 

I mean, nobody knows how big the breach is going to be, and no- 
body knows what the outcome of a cyber breach might be. Execu- 
tives could lose their job. You could lose the entire shop. You know, 
potentially an entire company could go down from a cyber breach. 
That is why it really does need, as has been spoken on this panel 
previously, enterprise risk management, because this is one of 
those risks that can take an evenly sailing ship and knock it right 
off course. I think that cyber insurance is a piece of the puzzle that 
supports the other aspects of risk management. 

Mr. Richmond. Thank you. I yield back. 

Mr. Ratcliffe. I thank the gentleman. 

The Chairman now recognizes the gentleman from Pennsylvania, 
General Perry. 

Mr. Perry. Thank you, Mr. Chairman. 

Mr. McCabe, I am sorry I had missed the opening part of your 
testimony, so I don’t want to rehash stuff that has already been 
gone over, but your last comments kind of piqued my curiosity. I 
am a guy that started a business in my mom’s garage. Right. That 
was a long time ago, and we weren’t so concerned about this at the 
time. But did you say that there are policies for every level of busi- 
ness, and at the smaller level they are based almost solely on the 
business’s income? I just want to kind of make sure I understand 
what you said there. 

Mr. McCabe. So premiums are always going to be tied to the sec- 
tor of the business 

Mr. Perry. Right. 

Mr. McCabe [continuing]. The revenues of the business, and the 
security practices. Those are probably the largest 3 determinatives 
of what a premium is going to be. Yes, I mean for me, you know, 
probably if I am involved with putting a program in place, the limit 
of a policy is typically going to be for $10 million for the first pri- 
mary sold. Right? That is not going to be true for every company. 
Smaller companies can get million-dollar, much smaller policies. 

Mr. Perry. Can you give me an idea? You want a million-dollar 
policy, as a guy that ran a business, in the scope of everything else, 
plant and equipment and employees, and all the other products 
that you got. What are we talking about? Is it a 6-month premium? 
Is it an annual deal? 

Mr. McCabe. It is an annual deal. 

Mr. Perry. Give me some idea. 

Mr. McCabe. To tell you the truth, I am going to be more solid 
on premiums for much larger businesses because that is the class 
that I handle. But you do have to remember, even from your ques- 
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tion, it is a wide-open question because for the business that you 
are running, well, how big is your digital footprint? How on-line are 
you? How much do you rely on on-line presence to conduct your 
business? What is the manner of your business? Are you collecting 
health data? Are you collecting 

Mr. Perry. I understand the risk exposure, and I am kind of ask- 
ing you how long is the string. But if you could, at some point after 
the fact 

Mr. McCabe. Absolutely. 

Mr. Perry [continuing]. Give us some kind of idea, based on 
some of that criteria, what businesses are looking at just, you 
know, so we can kind of be in the game on that. 

I want to move on a little bit. Mr. Hamm, how do we ensure 
these policies keep up with something as evolving as this? I mean, 
you know, I think about upgrades. I used to do P and C limits, 
right. So when you upgrade, when you put airbags in, or you do 
all these safety systems of an industry moving towards a certain 
direction, or sprinklers or whatever, this industry involves bad ac- 
tors that are moving in a nonlinear fashion. They don’t announce 
their intention, and so you don’t know what your risk is day-to-day. 
How do we keep up? 

Do you have any — that almost sounds like an unanswerable 
question, too, but you’re in the position to have to answer. 

Mr. Hamm. I’ll do the best I can to answer it. To begin with, be- 
cause this line of insurance is still in its infancy, we are basically 
at a point where if you have seen one cybersecurity policy, you 
have seen one cybersecurity policy. Right? So my colleagues and I, 
and there are 11,500 of us in State insurance departments across 
the country, we are busy reviewing the rates and forms that are 
coming in from companies looking to sell these sorts of products, 
and you have about 4 or 5 dozen of those companies out there sell- 
ing these. 

So we are making sure that from a standpoint of a regulator, 
that the products that are actually hitting the market are com- 
plying with State laws in the 50 States. In addition to that, we are 
reviewing those companies to make sure that they are financially 
sound so that they will be there to pay claims when they come due. 
Because the only way this market is going to go from infancy to 
fully developed is if there is a comfort level by individuals and 
businesses and Governmental entities that what is actually grow- 
ing and developing in this country, in terms of a cyber insurance 
market, is actually going to be there for the long haul. 

Mr. Perry. So that speaks to the lawfulness or, you know, com- 
plying and comporting with what you said the rules and require- 
ments — 

Mr. Hamm. Right. 

Mr. Perry [continuing]. And I guess to soundness of the institu- 
tion. But it doesn’t necessarily get to the issue of an ever-changing 
landscape from an actuarial standpoint, from a risk assessment 
standpoint. 

Mr. Hamm. Which is a big part of why this market is developing. 
Even though it is developing quickly, in some ways it is developing 
slowly, because they need more and more data in order to answer 
the question you are asking. 
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Mr. Perry. So Mr. Nutkis talked about this a little bit, and 
maybe the question should be for him, but I want to stay on you 
a little bit. So who should determine the standards? I am not a big 
Federal Government guy. I know I am sitting in the place, but who 
is determining the standard? If it is the insurance industry, is the 
fox guarding the henhouse? Am I going to be required to report? 
Is the insurance company going to — ^you know, the insurance com- 
pany that has my policy is going to want to know my risk exposure. 
How do we determine, and should we be determining, the greater 
risk exposure? I mean, one thing begets another. 

I know there is a whole lot of questions there, but 

Mr. Hamm. Right. 

Mr. Perry. Where is the repository of all this information, and 
how do you safeguard it? I mean, it is different than accident crash 
data or something like that. Right? So how do we do this for this? 

Mr. Hamm. So I am going to do the best I can to answer that 
question. From my perch as a regulator, I don’t really much care 
where the repository of that data is. Okay? I don’t care if it is some 
arm of the Federal Government, if it is some private entity. That 
doesn’t matter to me. What matters is that that data that is actu- 
ally being gathered is useful, okay, and it is being shared with me 
as a regulator so I can do my job. 

Mr. Perry. But as a regulator, and it is a guy that this is your 
business, this is your livelihood, your passion, your expertise, what 
is your recommendation? Do you want another Federal program? 

Mr. Hamm. No. 

Mr. Perry. Okay. All right. That’s all I needed to do hear. Thank 
you. 

Mr. Chairman, I yield back. 

Mr. Hamm. Thank you for the lifeline. 

Mr. Ratcliffe. I thank the gentleman. 

The Chair now recognizes the gentleman from Rhode Island, the 
Chairman of the House Cyber Caucus, Mr. Langevin. 

Mr. Langevin. Thank you, Mr. Chairman. I want to thank you 
for holding this hearing. I want to thank our witnesses for being 
here today and deeply appreciate your work with DHS and on this 
issue, in general. 

So we have come a long way since I first started on the cyberse- 
curity issue back in 2007. We have certainly raised awareness. We 
have come a long way in getting everybody, for example, in the Na- 
tional security apparatus from the President on down, to under- 
stand how challenging and difficult cybersecurity is, how important 
it is to the country, how vulnerable we are in many ways, and very 
dependent on cyber-related issues. 

Now, of course, what do we do about it? There is a variety of 
tasks that we need to take, that we are taking. Some of it will 
come through legislation. Others are going to come through regula- 
tion. Others are going to come from this public-private partnership 
certainly, which is going to be vital because Government nor pri- 
vate sector can do this independently on its own. 

Also a role for the FCC. I have met with FCC commissioners and 
have written several times to the chair of the FCC, and they are 
moving in the direction doing more in this space as well. The insur- 
ance industry also, I believe, has a critical role to play here. I have 
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met with some of the largest insurers in the country, hoth to en- 
courage them to move more into this space, hut also to hear from 
them and clearly see what they are doing in this space. They are 
now writing policies that are more reflective of the risks that com- 
panies face in this area. 

Clearly, if you have 2 companies, and 1 is investing heavily in 
cyhersecurity protections and doing everything they can to protect 
customer data and prevent the consequences of a cyber attack, the 
policy should be written to reflect that. Those that are doing very 
minimal amount, then the policy should be written and priced ac- 
cordingly as well. So I think this is an important discussion. 

So, Mr. Finan, I found your testimony very insightful. I deeply 
appreciate your work with DHS and thank you for your commit- 
ment to public service. I am wondering if you can clarify a few 
things for me. I am certainly very fond of the NIST cyhersecurity 
framework, and I fully understand the importance of having a risk- 
based approach to handling cyhersecurity risks. 

That said, as you indicated in your testimony, current insurance 
offerings are not typically tailored to liabilities we tend to focus on 
in this committee, such as third-party harm due to an attack on 
an industrial control system. So, again, I fully recognize the value 
of raising the cyhersecurity floor, but I just wanted to make sure 
I understood your testimony. Did I get that about right? 

Mr. Finan. Yes, I think so. Specifically, to the NIST cybersecu- 
rity framework. Congressman, the underwriting community espe- 
cially has been very supportive of it because it gave a vocabulary 
and an approach for brokers and underwriters to discuss cyber risk 
in a way that everyone was comfortable. You didn’t have to be a 
technical expert. I think the jury is still out on what the ultimate 
impact might be of the framework because they want to see how 
usage translates to fewer losses or less severe losses. So I think 
that there is a tremendous potential, but they are taking a wait- 
and-see approach. I think NIST is working and engaging with the 
insurance industry to see where it may head next. 

Mr. Langevin. Okay. Thank you for that. In that case, is it pos- 
sible that the floor we are raising is focused on business risk, for 
example, to a financial system, rather than on a risk relating to 
operational technology, since they are unlikely to be insured 
against? 

Mr. Finan. Yes. I think insurance can have that floor-raising im- 
pact. The C-suite understands the benefit of cyhersecurity insur- 
ance and insurance base, generally. They see it through business 
terms, and they see it as an opportunity to really make that hard 
decision between, what Mr. McCabe was talking about, do you 
spend the last dollar on a technical solution, or do you transfer the 
risk through insurance? I think it is engendering some very 
healthy conversation between and among chief risk officers and 
other senior officials within companies with their cyhersecurity 
teams. It is bridging that cultural divide that still remains, for 
most companies, but it is a vehicle to finally have that conversa- 
tion, and I think that is healthy. 

I think they are figuring it out, about what controls actually de- 
liver value. That is going to be a long-term and on-going discussion. 
But insurance is a good umbrella under which to have it. 
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Mr. Langevin. One other follow-up on this line of questioning. Is 
there a widely-accepted definition of cybersecurity incident that you 
found, at least among critical manufacturers? 

Mr. Finan. Not that we came across, and I think it is because 
of the newness. People in the industrial control system space are 
very concerned about business interruption, obviously the physical 
damage that could result to critical infrastructure, if a hacker were 
to get in and have that intent. But because it is new to the insur- 
ance industry, as a concept and a potential area of coverage, they 
haven’t really defined it too specifically yet. But I think that is why 
the kind of collaboration that a group like the CIDAWG was en- 
couraging is something that DHS should continue, because you 
start to move toward those common definitions and vocabulary. 

Mr. Langevin. I think that would be helpful, and I am hoping 
that we are going to see us move in that kind of a direction and 
have that common understanding. I know my time has expired. 

Mr. Chairman, I don’t know if you are going to do a second 
round, but if you are, I am going to stay. All right. I yield back. 

Mr. Ratcliefe. I thank the gentleman. 

The Chair now recognizes my friend, the gentleman from Florida, 
Mr. Clawson. By the way, is it too late to offer condolences on your 
Boilermakers? 

Mr. Clawson. You know, it is a yearly thing, so don’t worry 
about it. When I see you dunk a breakaway, then you and I can 
talk. To be a tough guy, you have to have hit somebody at some 
point, right? Thanks for coming. If I knew it would have been a 
conversation about basketball, I would have checked your own cre- 
dentials. 

I am okay with voluntary cyber risk information being shared by 
companies. I am all right with that. My own observation was that 
most CEOs and boards are all over this. They are all over this. 
They know that disaster is right around the corner, and it is not 
just financial interruption of business. It is embarrassment, and 
customers have a hard time getting over it. Moreover, a lot of us 
are business-to-business suppliers, and we don’t have a lot of choice 
in the matter, to begin with. So we are part of a larger supply 
chain that makes this more complicated, and, moreover, it is an 
international supply chain. 

The final point I guess I would make is that every ERP imple- 
mentation that I have done is unique. I wonder about an insurance 
market, I hear actuarial data, and I say, wait a minute, every time 
I did an SAP it was a little different. Sometimes we touched a base 
code; sometimes we didn’t. Sometimes we integrated with the fi- 
nancials and with the customers; sometimes we didn’t. 

So to set up data that is somewhat standardized so that an in- 
surance industry can make decisions when there is no standardized 
data, I will just tell you, from my desk, I don’t know. I don’t know. 
I don’t know if that is even practical, because these things are very, 
very customized and very, very unique. That is what they are, be- 
cause every business is different. You know, I operated in 20 coun- 
tries or so, you know, and all of them had governing bodies. There- 
fore, all of my instincts tell me, let the market catch up to itself 

I know if I was going to buy insurance, the only person I would 
buy it from is the consultant doing my SAP or whatever it was, the 
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ERP implementation. To have a third party that is not involved in 
my system, that is therefore going to decide whether he is going 
to pay me and everybody, not knowing who messed up on keeping, 
you know, everything secure, seems like a very difficult thing to do. 
So I know what I would do if I was going to buy insurance from 
one of these things, and I am spending 3 to 5 percent of my top 
line on IT every year, I would buy it from the guy that helps me 
put in the system. 

Given all that — 2 minutes of talking about that — it just seems to 
me that we have to let the market catch up here. The less the Gov- 
ernment is involved, the better. You just slow it down. The data 
that we collect, in order to have a standardized kind of approach 
to this, is not going to be worth a lot because every implementation 
of an IT system is unique. So I am worried about the whole thing 
that we will try to help, but we will actually make things different. 
Do you all agree with that? I mean, we will try to help, but we will 
make things more difficult. Do you all agree with that, or am I 
missing on that? 

Mr. Hamm. Yes. 

Mr. Clawson. Anybody disagree with what I just said? 

Mr. McCabe. So, of course, not disagree. 

Mr. Clawson. If you do, that is okay. 

Mr. McCabe. I would want to try and put some bones around 
what we are doing going forward. So I know for the data reposi- 
tory, I mean, there is no “there” there yet. It is just a conversation. 
I think it is a question of how they reach the ultimate solution. So 
to add another layer of complexity for everything you are talking 
about, I mean, this peril has been compared several times to fire; 
but, of course, we are not facing a fire here. We are facing an ad- 
versarial relationship that changes tactics and technique. So that 
can call into question just how valuable is actuarial data, if the 
threat is going to change every time you change your security. 

But, you know, one of the things that I did not mention, but I 
do want to mention, is this committee, the subcommittee and the 
committee and Chairman and this entire Congress, has done a lot 
of great work on cyber information-sharing legislation getting 
passed this year. We are going to see a lot more information shar- 
ing among many different IS AOs. Right? 

So if we are starting to get into this culture where we are doing 
much more information sharing, then maybe there is a way we can 
glean from that financial impact data that can lead to trends. That 
does not have to be a Federal Government solution. Maybe that 
can represent value to several different industries, including the in- 
surance industry. 

Mr. Clawson. I am okay with that, if it is voluntary. But I do 
want to say to the Chairman, thank you for this. I just want to 
make sure people up here that sometimes don’t understand the 
complexity of what you all are talking about, it is easy to come to 
a conclusion that we can make some sort of standardized impact 
on a moving target that is beyond complex and that we in Govern- 
ment don’t understand. I just want to make sure you all get that 
point. I mean, that is my point to the group. Be careful on what 
we try to do here, or we will make a very difficult situation even 
worse because the threats are, you know, so difficult. 
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Thank you. I yield back. 

Mr. Ratcliffe. I thank the gentleman. I’m going to open a sec- 
ond round of questions for anyone that is interested. I had a couple 
of follow-ups that I wanted to make sure we got to today. 

I want to come back to you, Mr. McCabe. Technical questions. 
But do insurers generally mandate certain prerequisites or cyberse- 
curity efforts at all before anyone could be issued coverage in this 
space? 

Mr. McCabe. I mean, certainly it depends how we define efforts. 
But I think the question is — absolutely. You know, if you find out 
that you have an applicant who simply isn’t using firewalls because 
they don’t believe in them, then the insurance market is just sim- 
ply going to walk away from them. From a far more practical ex- 
ample, take for instance retailers. So if you have a retailer who 
simply is choosing not to be compliant with PCI standards, it is 
going to be very, very difficult to get that particular applicant cov- 
erage. 

Take that a step further. If you have a retailer who is not keep- 
ing up with the technical standards, the practices that would have 
prevented breaches like Target and Home Depot back in 2014, and 
that is using end-to-end encryption, that is tokenizing your data so 
it is just transaction numbers; it is not the actual card numbers — 
if you don’t have those state-of-the-art practices, then it is going to 
be very, very difficult, if not impossible, to get that retailer cov- 
erage. 

So I think, while for most industries there is not a hard-and-fast 
rule, because there isn’t regulation, because it is very hard to regu- 
late in this space because things change so quickly, but there cer- 
tainly are practices that are required. Now, there are, of course, 
certain industries where there is heavy regulation. There is HIPAA 
compliance. There is FERC, NERC standards, CIP standards. I 
mean, those, of course, you have to comply with. 

Mr. Ratcliffe. So as a follow-up to that, and maybe, Mr. Hamm, 
you can weigh in on this as well. Are there certain common condi- 
tions in cyber insurance policies, or in limitations or exclusions to 
those policies, that essentially would undermine the effectiveness of 
that coverage? 

Mr. Hamm. Nothing that I have seen yet. Again, the market is 
in such an infancy stage that my colleagues and I haven’t got to 
a point where we are reviewing so many different rates and forms 
that I can give you, you know, an informed answer to that ques- 
tion. 

Mr. Ratcliffe. So when we talk about assessing the solvency of 
insurance policies that cover cyber, is there a point, or at what 
point do we need to be concerned about U.S. companies becoming 
insolvent because of their inability to cover one-off cyber events of 
a great magnitude? 

Mr. Hamm. So thankfully, we are not there yet, obviously. That 
is one of the reasons why the NAIC is so interested in gathering 
very granular level data on what this market is looking like, not 
just to give us a snapshot of claims, premiums, losses, et cetera, 
but to start to tell us if there are any of these companies that are 
selling these sorts of products that may not fully understand the 



47 


risks they are taking on and may not be able to pay claims when 
they come due. 

So that is a big part of why we are gathering that data. We are 
going to get the first batch of that here within the next few weeks. 
We would be happy to provide that to this committee, once we have 
it in a form that we can release publicly. 

Mr. Ratcliffe. So, Mr. Finan, I want to ask you a question, be- 
cause of your experience in setting up the CIDAWG. We have had 
this conversation about standing up a data repository of some type. 
In your mind, who would be the ideal entity to house that? 

Mr. Finan. I am going to do it in my basement. No. It is a great 
question. Congressman. Truly, I think the CIDAWG members 
themselves are probably the best equipped to answer that. The 
CIPAC meetings that we were holding, the Critical Infrastructure 
Protection Advisory Council, we really had not pushed toward who 
should own and operate. They were very clear, however, that the 
ghost of Edward Snowden still lives, and they were not overly keen 
on the Federal Government owning and operating. 

However, they did feel that the Federal Government had an 
enormous role to play in terms of convening the conversation so 
they themselves could figure it out. They are also very interested 
in the Federal Government providing data about cyber incidents so 
they could start to get their underwriting bearings. However, there 
are a couple of models that are out there. I know the working 
group has talked about ISAOs as a potential model, ISACs as well. 
I know a number have been interested in potentially looking at 
FFRDCs and universities and similar communities. 

But the truth of the matter is, is that this is a needs and require- 
ments discussion about what is the value of a repository? What 
data do you need? Ultimately, what is it going to get you in terms 
of better understanding about how to invest more wisely against 
the risk? Really, anyone could take these public documents and de- 
cide to build a repository. We really wanted to lay out the roadmap 
for them to do that, and I think the group next month will have 
some recommendations that are more specific. But it is really for 
anyone to read and review and, hopefully, engage. 

Mr. Ratcliffe. All right. Thank you very much. My time has ex- 
pired again. 

The Chair now recognizes the gentleman from Rhode Island, Mr. 
Langevin. 

Mr. Langevin. Thank you, Mr. Chairman. Mr. Finan, if I could 
return to you. I was intrigued by your description of the aviation 
industry’s near-miss database and its possible application to a cy- 
bersecurity context. So I imagine that a better understanding of 
the interconnectedness of critical infrastructure would be essential 
to be able to grasp the consequences if an incident had been a miss 
in the cyber world — I should say had not been a miss in the cyber 
world. 

Does that comport with your thinking, and can you suggest what 
additional research would need to be done to adopt this model? 

Mr. Finan. So the near-miss repository was something that real- 
ly captured the imagination of the working group because at the 
outset, the commercial aviation sector didn’t believe that they could 
actually share very sensitive information among themselves to find 
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common, you know, safety solutions. But lo and behold, they did. 
They were able to create that environment largely through the de- 
velopment of nondisclosure agreements. They encrypt data. They 
had an anonymization protocol. So we brought them in to come and 
talk to us about how they did it. Really, we needed to dispel the 
notion that a repository would somehow be impossible to develop. 

There were other examples as well. DOD came in and talked 
about some of their experiences with creating an anonymization 
protocol. There were other groups that, you know, sort-of talked 
about how they worked it. None was perfect, but it did convince 
folks that, hey, this is potentially doable. 

I think the main goal is that when you have a group of individ- 
uals that are facing a shared business problem, and cyber risk is 
certainly that, that the people who say no, and the fear, ultimately 
has to relent to some kind of sharing. So the recommendation was, 
gee, if we could do something like the near-miss database for the 
aviation sector, that would get us closer. 

So we had a very in-depth conversation with the organizers from 
MITRE who put that together. They, I think, will be participants 
in the workshop that DHS is hosting next month, really to gen- 
erate ideas. Because some of this information, some of it is sen- 
sitive certainly, but if you can share it at a generic enough level, 
the insurance industry and the CISOs that joined us really felt 
strongly that that would be enough for them to get a fix on what 
needs to be done, and how to direct their budgets against cyber 
risk, accordingly. So I am happy to report that there are these 
models that can be adopted. 

Mr. Langevin. Very good. That is very helpful. Thank you. 

Mr. McCabe, and I certainly welcome any of the other panelists 
to chime in. Can you describe the claims investigation, if any, that 
you conduct following a cybersecurity incident? 

Mr. McCabe. So the broker is usually not responsible for claims 
investigation. That will be by the carrier into their claims or by the 
company itself by retaining their own counsel. I mean, typically 
what happens is there is a cyber breach, and the first move by the 
insured would be to reach out to their attorneys, who will coordi- 
nate with the forensics company to find out exactly what happened 
and what is the impact. Then based on that impact, you might 
have different responsibilities. 

If it has been a breach of personally identifiable information, 
then State law requires certain efforts, such as notifying, credit 
monitoring, and fraud restoration. Perhaps, you know, there is an 
extortion demand in which there is an entire different set of serv- 
ices that have to go in. Perhaps there is a business outage in which 
it is more a forensics investigation of, well, what has this company 
actually lost and what are the expenses that you have suffered as 
a result of that business outage? 

I think that that is typically how the incident response comes. 
But from an investigation into what actually happens during the 
claim, that is usually headed up by the carrier. 

Mr. Langevin. So in the part of the investigation, as the carrier 
is doing this, do they go back and look at, did the insured do what 
they said they had done in terms of complying, say, with NIST 
standards and such that, you know, obviously that the policy was 



49 


written in such a way that the company, the firm, made certain 
representations that they raised their level of cybersecurity protec- 
tion to X level. Is there a part of that investigation that does 
forensics to see if they actually did what they said they were doing? 

Mr. McCabe. Sure. Of course. Ranking Member Richmond 
brought this up in his opening statement as well, that during the 
application process, you can make representations upon which the 
underwriter will rely, and that actually becomes part of your appli- 
cation. Now, if it turns out what you represented is not true, that 
could be grounds for denying the claim. That is really one of the 
things that incentivizes the better practices. You have to let the 
rubber meet the road on how you are practicing security. You can’t 
just get the insurance based on a bad-faith application. 

Mr. Langevin. Very good. Okay. Thank you all very much. Un- 
less there is anything else from the panel on that particular topic? 

Okay. I yield back. 

Thank you, Mr. Chairman. 

Mr. Ratcliffe. I thank the gentleman. We will let that be the 
last word. I thank all the witnesses for your testimony today and 
the Members for all of their questions. The Members of the com- 
mittee may have some additional questions for any of you wit- 
nesses and, if so, we will ask you to respond to those in writing. 
Pursuant to Committee Rule Vll(e), the hearing record will be held 
open for a period of 10 days. 

Without objection, the subcommittee stands adjourned. 

[Whereupon, at 11:30 a.m., the subcommittee was adjourned.] 
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